e4e84c4f8c8daea3bece548edb2b3ce8e6023582c9b3e515ca040dda6ba9bc64

Analysis

max time kernel
30s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 11:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84dfc4fc53bf38e4c553265925cea90e_mafia_JC.exe
Size

3.7MB
MD5

84dfc4fc53bf38e4c553265925cea90e
SHA1

3c18aa30d32371fe18130d2bfacdc23a9482237d
SHA256

e4e84c4f8c8daea3bece548edb2b3ce8e6023582c9b3e515ca040dda6ba9bc64
SHA512

15caf6ff48a5d7dfe7f5301495eb4850c0ff61fff302f7eab3ff0fce8ce0295c2d6ae5158b1351f4b4184d67be5c994996a1d9e9b771b6c9ffb8555484f67296
SSDEEP

49152:09yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTl3AI78wsqEqbOvYA7i5AG3RZ:bJ5rFwnApezgOS9V3AMlbU7UZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 47 IoCs

pid	pid_target	Process	procid_target
228	3768	WerFault.exe	87
3500	4728	WerFault.exe	96
3312	708	WerFault.exe	105
5028	2148	WerFault.exe	103
1120	5084	WerFault.exe	111
4676	4972	WerFault.exe	117
1988	3776	WerFault.exe	124
3716	3872	WerFault.exe	122
3184	2604	WerFault.exe	133
684	1212	WerFault.exe	130
832	4160	WerFault.exe	142
508	3580	WerFault.exe	140
1740	2812	WerFault.exe	150
1976	1504	WerFault.exe	148
2604	2864	WerFault.exe	158
1620	3184	WerFault.exe	156
4152	1040	WerFault.exe	166
1624	3716	WerFault.exe	164
1688	640	WerFault.exe	174
1560	2812	WerFault.exe	172
3612	2516	WerFault.exe	182
3700	1632	WerFault.exe	180
4360	4724	WerFault.exe	190
4568	4228	WerFault.exe	188
2872	3320	WerFault.exe	198
788	5032	WerFault.exe	196
2084	2788	WerFault.exe	206
940	3828	WerFault.exe	204
652	2624	WerFault.exe	212
3844	708	WerFault.exe	219
1788	3984	WerFault.exe	217
4152	812	WerFault.exe	227
4820	3440	WerFault.exe	225
2320	764	WerFault.exe	235
368	228	WerFault.exe	233
1212	1716	WerFault.exe	241
1780	4452	WerFault.exe	248
1288	4988	WerFault.exe	246
2788	4480	WerFault.exe	256
4120	532	WerFault.exe	254
2232	2096	WerFault.exe	263
3784	3056	WerFault.exe	262
4432	3904	WerFault.exe	272
2036	1508	WerFault.exe	270
1264	3480	WerFault.exe	280
928	3464	WerFault.exe	278
2068	3612	WerFault.exe	288

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{48DC9DD4-D76C-4023-8EFE-07007F77CCCE}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{AB2DDC96-DD3F-4B3D-8E7F-D580F716AC0F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{93B69FA3-56A4-4368-AC8A-34E63C21D260}	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	4728	explorer.exe
Token: SeCreatePagefilePrivilege	4728	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
5084	Process not Found
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4944	StartMenuExperienceHost.exe
4372	StartMenuExperienceHost.exe
2012	StartMenuExperienceHost.exe
708	SearchApp.exe
3576	StartMenuExperienceHost.exe
3996	StartMenuExperienceHost.exe
3236	StartMenuExperienceHost.exe
3776	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\84dfc4fc53bf38e4c553265925cea90e_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\84dfc4fc53bf38e4c553265925cea90e_mafia_JC.exe"
1⤵
PID:2124

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3768 -s 5944
  2⤵
  - Program crash
  PID:228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3768 -ip 3768
1⤵
PID:4804

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4728 -s 6012
  2⤵
  - Program crash
  PID:3500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4728 -ip 4728
1⤵
PID:3792

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2148 -s 7428
  2⤵
  - Program crash
  PID:5028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 708 -s 3984
  2⤵
  - Program crash
  PID:3312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 708 -ip 708
1⤵
PID:3048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2148 -ip 2148
1⤵
PID:780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5084 -s 5824
  2⤵
  - Program crash
  PID:1120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 5084 -ip 5084
1⤵
PID:4476

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4972 -s 5984
  2⤵
  - Program crash
  PID:4676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4972 -ip 4972
1⤵
PID:2516

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:3872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3872 -s 7292
  2⤵
  - Program crash
  PID:3716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3236

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3776 -s 3580
  2⤵
  - Program crash
  PID:1988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3776 -ip 3776
1⤵
PID:1488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3872 -ip 3872
1⤵
PID:3240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1212
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1212 -s 5984
  2⤵
  - Program crash
  PID:684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2604 -s 3520
  2⤵
  - Program crash
  PID:3184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2604 -ip 2604
1⤵
PID:4208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1212 -ip 1212
1⤵
PID:1444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3580 -s 7432
  2⤵
  - Program crash
  PID:508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4160 -s 3556
  2⤵
  - Program crash
  PID:832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 4160 -ip 4160
1⤵
PID:1788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3580 -ip 3580
1⤵
PID:3708

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1504 -s 5820
  2⤵
  - Program crash
  PID:1976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2812 -s 3628
  2⤵
  - Program crash
  PID:1740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2812 -ip 2812
1⤵
PID:4360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1504 -ip 1504
1⤵
PID:4676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3184 -s 7336
  2⤵
  - Program crash
  PID:1620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2864 -s 3508
  2⤵
  - Program crash
  PID:2604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 2864 -ip 2864
1⤵
PID:2716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3184 -ip 3184
1⤵
PID:4024

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3716 -s 7508
  2⤵
  - Program crash
  PID:1624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1264

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1040 -s 3584
  2⤵
  - Program crash
  PID:4152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 1040 -ip 1040
1⤵
PID:2840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3716 -ip 3716
1⤵
PID:3480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2812 -s 4020
  2⤵
  - Program crash
  PID:1560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 640 -s 3620
  2⤵
  - Program crash
  PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 640 -ip 640
1⤵
PID:3964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 2812 -ip 2812
1⤵
PID:3084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1632 -s 4904
  2⤵
  - Program crash
  PID:3700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2516 -s 3572
  2⤵
  - Program crash
  PID:3612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 2516 -ip 2516
1⤵
PID:1872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1632 -ip 1632
1⤵
PID:4696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4228 -s 7452
  2⤵
  - Program crash
  PID:4568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4724 -s 3584
  2⤵
  - Program crash
  PID:4360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4724 -ip 4724
1⤵
PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4228 -ip 4228
1⤵
PID:1560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5032 -s 7524
  2⤵
  - Program crash
  PID:788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3320
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3320 -s 3604
  2⤵
  - Program crash
  PID:2872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3320 -ip 3320
1⤵
PID:4024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 5032 -ip 5032
1⤵
PID:3496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3828
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3828 -s 5940
  2⤵
  - Program crash
  PID:940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2788 -s 3516
  2⤵
  - Program crash
  PID:2084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2788 -ip 2788
1⤵
PID:1048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3828 -ip 3828
1⤵
PID:4060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2624 -s 5992
  2⤵
  - Program crash
  PID:652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2624 -ip 2624
1⤵
PID:3196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3984 -s 6004
  2⤵
  - Program crash
  PID:1788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 708 -s 3576
  2⤵
  - Program crash
  PID:3844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 708 -ip 708
1⤵
PID:3888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 3984 -ip 3984
1⤵
PID:228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3440
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3440 -s 7480
  2⤵
  - Program crash
  PID:4820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:208

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 812 -s 3564
  2⤵
  - Program crash
  PID:4152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 812 -ip 812
1⤵
PID:1496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3440 -ip 3440
1⤵
PID:3508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 228 -s 7404
  2⤵
  - Program crash
  PID:368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 764 -s 3580
  2⤵
  - Program crash
  PID:2320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 764 -ip 764
1⤵
PID:2140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 228 -ip 228
1⤵
PID:1028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1716 -s 6032
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Program crash
  - Modifies registry class
  PID:1212

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1716 -ip 1716
1⤵
PID:728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4988
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4988 -s 3544
  2⤵
  - Program crash
  PID:1288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4452
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4452 -s 3616
  2⤵
  - Program crash
  PID:1780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4452 -ip 4452
1⤵
PID:4736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 4988 -ip 4988
1⤵
PID:2096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 532 -s 1152
  2⤵
  - Program crash
  PID:4120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4480
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4480 -s 2268
  2⤵
  - Program crash
  PID:2788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4480 -ip 4480
1⤵
PID:2232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 532 -ip 532
1⤵
PID:1952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3056 -s 4432
  2⤵
  - Program crash
  PID:3784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2096
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2096 -s 3924
  2⤵
  - Program crash
  PID:2232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 2096 -ip 2096
1⤵
PID:448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3056 -ip 3056
1⤵
PID:4892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1508
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1508 -s 7400
  2⤵
  - Program crash
  PID:2036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3904 -s 3552
  2⤵
  - Program crash
  PID:4432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3904 -ip 3904
1⤵
PID:3048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 1508 -ip 1508
1⤵
PID:1544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3464 -s 5660
  2⤵
  - Program crash
  PID:928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3480
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3480 -s 3588
  2⤵
  - Program crash
  PID:1264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3480 -ip 3480
1⤵
PID:1124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 3464 -ip 3464
1⤵
PID:2512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3612 -s 3612
  2⤵
  - Program crash
  PID:2068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3612 -ip 3612
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
3cd4fca4d4509bcb7d7cd12aa5257e13

SHA1
6420e012f1863abe74ebd08c0c93ee9449cd1f11

SHA256
42f6ee82ea0571af5618df4a3f7bba0f805a3a6c2f370f0c16186263d2665b89

SHA512
19788dd7e0d5aaf3cbdf7785ac80a6d10a8c3c5f5d5fba180fa65619ffe2d93bf708d882bb59f79c9a3c79b7745515eba5d14f11b5cba5995afc32d0f15f5400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
c0c4a2eae64a571868d7f3e863b48854

SHA1
5caa7e921025da8fb9928fd1166616c3d66d59b1

SHA256
f185388f7d3a251c1ceaf01b2c567b7ed8cd843012caeb2964088f2e6d51b849

SHA512
d6d63fa9e5ebfd0c8c339103056f1c434e11b1db6e3e96f9f65ab8369753c56ded8dbe5af250cc57adf4b5df8276d4ba7f05ebd62b09cac4ca95784b5ed9dad4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
memory/228-460-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/640-311-0x000001E5D8D20000-0x000001E5D8D40000-memory.dmp

Filesize
128KB

Download
memory/640-313-0x000001E5D9130000-0x000001E5D9150000-memory.dmp

Filesize
128KB

Download
memory/640-309-0x000001E5D8D60000-0x000001E5D8D80000-memory.dmp

Filesize
128KB

Download
memory/708-427-0x000002D600A30000-0x000002D600A50000-memory.dmp

Filesize
128KB

Download
memory/708-150-0x0000014229A20000-0x0000014229A40000-memory.dmp

Filesize
128KB

Download
memory/708-152-0x0000014229E30000-0x0000014229E50000-memory.dmp

Filesize
128KB

Download
memory/708-425-0x000002D600A70000-0x000002D600A90000-memory.dmp

Filesize
128KB

Download
memory/708-148-0x0000014229A60000-0x0000014229A80000-memory.dmp

Filesize
128KB

Download
memory/708-430-0x000002D600E40000-0x000002D600E60000-memory.dmp

Filesize
128KB

Download
memory/764-472-0x000001C68DAE0000-0x000001C68DB00000-memory.dmp

Filesize
128KB

Download
memory/764-470-0x000001C68D4C0000-0x000001C68D4E0000-memory.dmp

Filesize
128KB

Download
memory/764-468-0x000001C68D500000-0x000001C68D520000-memory.dmp

Filesize
128KB

Download
memory/812-448-0x0000028BBB270000-0x0000028BBB290000-memory.dmp

Filesize
128KB

Download
memory/812-451-0x0000028BBB230000-0x0000028BBB250000-memory.dmp

Filesize
128KB

Download
memory/812-454-0x0000028BBB640000-0x0000028BBB660000-memory.dmp

Filesize
128KB

Download
memory/1040-291-0x00000244C4A60000-0x00000244C4A80000-memory.dmp

Filesize
128KB

Download
memory/1040-288-0x00000244C4450000-0x00000244C4470000-memory.dmp

Filesize
128KB

Download
memory/1040-286-0x00000244C4490000-0x00000244C44B0000-memory.dmp

Filesize
128KB

Download
memory/1212-189-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/1504-232-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1632-324-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2148-141-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/2516-332-0x0000023409060000-0x0000023409080000-memory.dmp

Filesize
128KB

Download
memory/2516-334-0x0000023409020000-0x0000023409040000-memory.dmp

Filesize
128KB

Download
memory/2516-336-0x0000023409430000-0x0000023409450000-memory.dmp

Filesize
128KB

Download
memory/2604-197-0x000001E2034D0000-0x000001E2034F0000-memory.dmp

Filesize
128KB

Download
memory/2604-200-0x000001E203490000-0x000001E2034B0000-memory.dmp

Filesize
128KB

Download
memory/2604-203-0x000001E2038A0000-0x000001E2038C0000-memory.dmp

Filesize
128KB

Download
memory/2788-407-0x00000224C8EA0000-0x00000224C8EC0000-memory.dmp

Filesize
128KB

Download
memory/2788-401-0x00000224C88C0000-0x00000224C88E0000-memory.dmp

Filesize
128KB

Download
memory/2788-404-0x00000224C8880000-0x00000224C88A0000-memory.dmp

Filesize
128KB

Download
memory/2812-244-0x000001E030900000-0x000001E030920000-memory.dmp

Filesize
128KB

Download
memory/2812-242-0x000001E0302F0000-0x000001E030310000-memory.dmp

Filesize
128KB

Download
memory/2812-240-0x000001E030330000-0x000001E030350000-memory.dmp

Filesize
128KB

Download
memory/2812-301-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2864-267-0x0000021B28E50000-0x0000021B28E70000-memory.dmp

Filesize
128KB

Download
memory/2864-263-0x0000021B28A80000-0x0000021B28AA0000-memory.dmp

Filesize
128KB

Download
memory/2864-265-0x0000021B28A40000-0x0000021B28A60000-memory.dmp

Filesize
128KB

Download
memory/3184-255-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3320-378-0x000002155E700000-0x000002155E720000-memory.dmp

Filesize
128KB

Download
memory/3320-380-0x000002155E3C0000-0x000002155E3E0000-memory.dmp

Filesize
128KB

Download
memory/3320-382-0x000002155EAD0000-0x000002155EAF0000-memory.dmp

Filesize
128KB

Download
memory/3440-440-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/3580-209-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/3716-278-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/3776-174-0x00000132EF760000-0x00000132EF780000-memory.dmp

Filesize
128KB

Download
memory/3776-176-0x00000132EF720000-0x00000132EF740000-memory.dmp

Filesize
128KB

Download
memory/3776-178-0x00000132EFB30000-0x00000132EFB50000-memory.dmp

Filesize
128KB

Download
memory/3828-393-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3872-166-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3984-417-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/4160-217-0x000002B677660000-0x000002B677680000-memory.dmp

Filesize
128KB

Download
memory/4160-220-0x000002B677620000-0x000002B677640000-memory.dmp

Filesize
128KB

Download
memory/4160-224-0x000002B677A30000-0x000002B677A50000-memory.dmp

Filesize
128KB

Download
memory/4228-347-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/4452-492-0x000001AF78400000-0x000001AF78420000-memory.dmp

Filesize
128KB

Download
memory/4452-494-0x000001AF783C0000-0x000001AF783E0000-memory.dmp

Filesize
128KB

Download
memory/4452-496-0x000001AF787D0000-0x000001AF787F0000-memory.dmp

Filesize
128KB

Download
memory/4724-358-0x0000022747850000-0x0000022747870000-memory.dmp

Filesize
128KB

Download
memory/4724-355-0x0000022747890000-0x00000227478B0000-memory.dmp

Filesize
128KB

Download
memory/4724-360-0x0000022747C60000-0x0000022747C80000-memory.dmp

Filesize
128KB

Download
memory/4988-484-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/5032-370-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads