fef71efaf93624e6723a7afb0b69d34af5922e505aa4bcc5382d2aa1adcc44fa

Analysis

max time kernel
23s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2023, 13:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ffb69dd1d76971429700e379d9809f9_mafia_JC.exe
Size

4.0MB
MD5

6ffb69dd1d76971429700e379d9809f9
SHA1

340fb213a81771773d5de1f01fc1d82acce05575
SHA256

fef71efaf93624e6723a7afb0b69d34af5922e505aa4bcc5382d2aa1adcc44fa
SHA512

932e32c2dc172f1830f5c2f01fd318402cb4582935cd9ec886343963689953fd6173fb271239a4bb656040ba07f120d9c58f76821c96150698dc86201f4fec0a
SSDEEP

98304:cJ5rFwnApezgOS9V3AMfSEJAC9vvKK/OYq:CF2nuezgOoQaHIKe

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 33 IoCs

pid	pid_target	Process	procid_target
1732	1464	WerFault.exe	82
3820	5056	WerFault.exe	95
4732	4400	WerFault.exe	103
3824	4824	WerFault.exe	105
3368	4408	WerFault.exe	112
672	3208	WerFault.exe	118
3296	1800	WerFault.exe	120
4084	1108	WerFault.exe	128
852	1036	WerFault.exe	126
3400	3740	WerFault.exe	136
2180	1332	WerFault.exe	134
3428	1040	WerFault.exe	142
3544	3712	WerFault.exe	149
4444	4604	WerFault.exe	147
3576	560	WerFault.exe	157
2096	712	WerFault.exe	155
4740	3860	WerFault.exe	163
4244	3644	WerFault.exe	165
4348	3232	WerFault.exe	173
3936	840	WerFault.exe	171
4148	4056	WerFault.exe	179
184	2220	WerFault.exe	186
1156	1420	WerFault.exe	184
1116	2152	WerFault.exe	194
4936	1600	WerFault.exe	192
3624	4220	WerFault.exe	200
4024	1472	WerFault.exe	207
660	2836	WerFault.exe	205
4204	752	WerFault.exe	215
3376	2544	WerFault.exe	213
552	3964	WerFault.exe	221
4812	1500	WerFault.exe	227
4092	4532	WerFault.exe	226

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{06B4665A-1782-453C-A0A3-B6E02EB2E3FC}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{86965362-9E13-45E7-9D8C-05C42A52C02E}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{B34898FC-7672-4CAE-97BE-DB45AC3ABF3D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeCreatePagefilePrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	4400	explorer.exe
Token: SeCreatePagefilePrivilege	4400	explorer.exe
Token: SeShutdownPrivilege	4400	explorer.exe
Token: SeCreatePagefilePrivilege	4400	explorer.exe
Token: SeShutdownPrivilege	4400	explorer.exe
Token: SeCreatePagefilePrivilege	4400	explorer.exe
Token: SeShutdownPrivilege	4400	explorer.exe
Token: SeCreatePagefilePrivilege	4400	explorer.exe
Token: SeShutdownPrivilege	4400	explorer.exe
Token: SeCreatePagefilePrivilege	4400	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
4400	explorer.exe
4400	explorer.exe
4400	explorer.exe
4400	explorer.exe
4400	explorer.exe
4400	explorer.exe
4400	explorer.exe
4400	explorer.exe
4400	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3720	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\6ffb69dd1d76971429700e379d9809f9_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6ffb69dd1d76971429700e379d9809f9_mafia_JC.exe"
1⤵
PID:3580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1464 -s 6232
  2⤵
  - Program crash
  PID:1732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1464 -ip 1464
1⤵
PID:2932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5056 -s 7256
  2⤵
  - Program crash
  PID:3820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5056 -ip 5056
1⤵
PID:3208

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4400 -s 7428
  2⤵
  - Program crash
  PID:4732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4824 -s 4036
  2⤵
  - Program crash
  PID:3824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 4824 -ip 4824
1⤵
PID:3424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4400 -ip 4400
1⤵
PID:752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4408
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4408 -s 5968
  2⤵
  - Program crash
  PID:3368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4408 -ip 4408
1⤵
PID:3744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3208 -s 7532
  2⤵
  - Program crash
  PID:672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1800 -s 3572
  2⤵
  - Program crash
  PID:3296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1800 -ip 1800
1⤵
PID:4908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 3208 -ip 3208
1⤵
PID:4512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1036 -s 7432
  2⤵
  - Program crash
  PID:852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1108 -s 3536
  2⤵
  - Program crash
  PID:4084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1108 -ip 1108
1⤵
PID:2840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 1036 -ip 1036
1⤵
PID:3540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1332 -s 3380
  2⤵
  - Program crash
  PID:2180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3740 -s 3584
  2⤵
  - Program crash
  PID:3400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3740 -ip 3740
1⤵
PID:3368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1332 -ip 1332
1⤵
PID:2840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1040 -s 6108
  2⤵
  - Program crash
  PID:3428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 1040 -ip 1040
1⤵
PID:4216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4604 -s 7640
  2⤵
  - Program crash
  PID:4444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3712 -s 3584
  2⤵
  - Program crash
  PID:3544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3712 -ip 3712
1⤵
PID:4844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4604 -ip 4604
1⤵
PID:2232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 712 -s 7728
  2⤵
  - Program crash
  PID:2096

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 560 -s 3548
  2⤵
  - Program crash
  PID:3576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 560 -ip 560
1⤵
PID:4276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 712 -ip 712
1⤵
PID:1224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3860
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3860 -s 1924
  2⤵
  - Program crash
  PID:4740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3644 -s 3556
  2⤵
  - Program crash
  PID:4244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3644 -ip 3644
1⤵
PID:864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 3860 -ip 3860
1⤵
PID:1340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 840 -s 2824
  2⤵
  - Program crash
  PID:3936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3232 -s 3580
  2⤵
  - Program crash
  PID:4348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3232 -ip 3232
1⤵
PID:2496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 840 -ip 840
1⤵
PID:1340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4056 -s 6124
  2⤵
  - Program crash
  PID:4148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4056 -ip 4056
1⤵
PID:2916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1420 -s 6304
  2⤵
  - Program crash
  PID:1156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2220 -s 3588
  2⤵
  - Program crash
  PID:184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 2220 -ip 2220
1⤵
PID:228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1420 -ip 1420
1⤵
PID:1104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1600 -s 7676
  2⤵
  - Program crash
  PID:4936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2152 -s 3596
  2⤵
  - Program crash
  PID:1116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2152 -ip 2152
1⤵
PID:2272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 1600 -ip 1600
1⤵
PID:3664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4220 -s 6284
  2⤵
  - Program crash
  PID:3624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 4220 -ip 4220
1⤵
PID:4012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2836 -s 6100
  2⤵
  - Program crash
  PID:660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1472
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1472 -s 3580
  2⤵
  - Program crash
  PID:4024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 1472 -ip 1472
1⤵
PID:2412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 2836 -ip 2836
1⤵
PID:3964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2544 -s 7496
  2⤵
  - Program crash
  PID:3376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:752
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 752 -s 3580
  2⤵
  - Program crash
  PID:4204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 764 -p 752 -ip 752
1⤵
PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 2544 -ip 2544
1⤵
PID:2308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3964
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3964 -s 6184
  2⤵
  - Program crash
  PID:552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 716 -p 3964 -ip 3964
1⤵
PID:1116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4532 -s 7784
  2⤵
  - Program crash
  PID:4092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1500
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1500 -s 3924
  2⤵
  - Program crash
  PID:4812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 720 -p 1500 -ip 1500
1⤵
PID:5112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 684 -p 4532 -ip 4532
1⤵
PID:4716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
2919b3baf938d2e3ce1bd7df60366ab9

SHA1
d96c472a76ea6a4fe46c905bbd3290d25e72ab90

SHA256
ff4a593993b067379ae88ecc2b0c7ecbe78877de254b1eadf7daa11737c79247

SHA512
005da0a78d6f94299bb16cdefde2222a0a1498acff936bdcf7a44c61bbe9704c256ca511700a846448794307928d2487be3ae0c8a412fa5be5673a20c73fb6c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
66e628b9a39246b232e852965e06b3b3

SHA1
6154b8be126076e32cdb6e97a2d431962a9dad84

SHA256
5a0aca4c793ca4f7dde0825cec4262749e779699293aab66aef8ccd5ef990f2f

SHA512
56d36ae4f69ff188fcd95cc5123cbdae57a372464ad60182b59e5f9d29455f1b6ca2789b1a7ed287047277e7ae7dc15da23c593f4dcbeba3a582674ee1abeef6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
memory/560-270-0x000001A5DAD60000-0x000001A5DAD80000-memory.dmp

Filesize
128KB

Download
memory/560-273-0x000001A5DB370000-0x000001A5DB390000-memory.dmp

Filesize
128KB

Download
memory/560-268-0x000001A5DADA0000-0x000001A5DADC0000-memory.dmp

Filesize
128KB

Download
memory/712-261-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/752-411-0x000001F4BFF30000-0x000001F4BFF50000-memory.dmp

Filesize
128KB

Download
memory/752-409-0x000001F4BFF70000-0x000001F4BFF90000-memory.dmp

Filesize
128KB

Download
memory/752-414-0x000001F4C0340000-0x000001F4C0360000-memory.dmp

Filesize
128KB

Download
memory/840-308-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1036-191-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1108-203-0x000001FAE5720000-0x000001FAE5740000-memory.dmp

Filesize
128KB

Download
memory/1108-201-0x000001FAE5110000-0x000001FAE5130000-memory.dmp

Filesize
128KB

Download
memory/1108-198-0x000001FAE5150000-0x000001FAE5170000-memory.dmp

Filesize
128KB

Download
memory/1332-214-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/1420-331-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1472-386-0x00000194B85A0000-0x00000194B85C0000-memory.dmp

Filesize
128KB

Download
memory/1472-389-0x00000194B8560000-0x00000194B8580000-memory.dmp

Filesize
128KB

Download
memory/1472-392-0x00000194B8B80000-0x00000194B8BA0000-memory.dmp

Filesize
128KB

Download
memory/1500-430-0x00000172466E0000-0x0000017246700000-memory.dmp

Filesize
128KB

Download
memory/1500-433-0x00000172466A0000-0x00000172466C0000-memory.dmp

Filesize
128KB

Download
memory/1500-436-0x0000017246AB0000-0x0000017246AD0000-memory.dmp

Filesize
128KB

Download
memory/1600-354-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1800-180-0x000001D49A410000-0x000001D49A430000-memory.dmp

Filesize
128KB

Download
memory/1800-176-0x000001D49A000000-0x000001D49A020000-memory.dmp

Filesize
128KB

Download
memory/1800-173-0x000001D49A040000-0x000001D49A060000-memory.dmp

Filesize
128KB

Download
memory/2152-364-0x000002D21E9A0000-0x000002D21E9C0000-memory.dmp

Filesize
128KB

Download
memory/2152-366-0x000002D21EFB0000-0x000002D21EFD0000-memory.dmp

Filesize
128KB

Download
memory/2152-362-0x000002D21E9E0000-0x000002D21EA00000-memory.dmp

Filesize
128KB

Download
memory/2220-345-0x0000015091700000-0x0000015091720000-memory.dmp

Filesize
128KB

Download
memory/2220-339-0x00000150912B0000-0x00000150912D0000-memory.dmp

Filesize
128KB

Download
memory/2220-342-0x0000015091260000-0x0000015091280000-memory.dmp

Filesize
128KB

Download
memory/2544-401-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2836-379-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3208-165-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/3232-317-0x000001B4852A0000-0x000001B4852C0000-memory.dmp

Filesize
128KB

Download
memory/3232-315-0x000001B4852E0000-0x000001B485300000-memory.dmp

Filesize
128KB

Download
memory/3232-320-0x000001B485940000-0x000001B485960000-memory.dmp

Filesize
128KB

Download
memory/3644-292-0x000002500FB20000-0x000002500FB40000-memory.dmp

Filesize
128KB

Download
memory/3644-299-0x000002500FF30000-0x000002500FF50000-memory.dmp

Filesize
128KB

Download
memory/3644-295-0x000002500F7E0000-0x000002500F800000-memory.dmp

Filesize
128KB

Download
memory/3712-245-0x0000020514CF0000-0x0000020514D10000-memory.dmp

Filesize
128KB

Download
memory/3712-250-0x0000020515380000-0x00000205153A0000-memory.dmp

Filesize
128KB

Download
memory/3712-248-0x0000020514CB0000-0x0000020514CD0000-memory.dmp

Filesize
128KB

Download
memory/3740-227-0x000001725B760000-0x000001725B780000-memory.dmp

Filesize
128KB

Download
memory/3740-223-0x000001725B350000-0x000001725B370000-memory.dmp

Filesize
128KB

Download
memory/3740-221-0x000001725B390000-0x000001725B3B0000-memory.dmp

Filesize
128KB

Download
memory/3860-284-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4400-142-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/4532-423-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/4604-237-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/4824-151-0x000001A4A2580000-0x000001A4A25A0000-memory.dmp

Filesize
128KB

Download
memory/4824-149-0x000001A4A25C0000-0x000001A4A25E0000-memory.dmp

Filesize
128KB

Download
memory/4824-154-0x000001A4A2990000-0x000001A4A29B0000-memory.dmp

Filesize
128KB

Download
memory/5056-140-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads