Analysis
-
max time kernel
34s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2023 16:25
Static task
static1
Behavioral task
behavioral1
Sample
f7bb35dc4fbeba4d17e509393ad4131f_mafia_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
f7bb35dc4fbeba4d17e509393ad4131f_mafia_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
f7bb35dc4fbeba4d17e509393ad4131f_mafia_JC.exe
-
Size
3.5MB
-
MD5
f7bb35dc4fbeba4d17e509393ad4131f
-
SHA1
58326a6027755fc8246ee244fce6598092ffc042
-
SHA256
d13a693358ab8c6dbb22976e22d6ec9052842276d0d737a7e3a8e9030d309089
-
SHA512
b5d3d4a4b08f6a368bf9d9464a8233f65bb98853d7613e454c594c15bb29f6171416acd58c4924a1ed81770bfd864b5daae5b3cd870e8f7ad0cd81c4871a2101
-
SSDEEP
49152:a9yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTlQmlI8zrx+jWqZdLO:RJ5rFwnApezgOS9V3AMdld8jW0O
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Active Setup\Installed Components WerFault.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: WerFault.exe File opened (read-only) \??\F: WerFault.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Program crash 48 IoCs
pid pid_target Process procid_target 2488 2304 WerFault.exe 87 5048 1100 WerFault.exe 98 4544 2324 WerFault.exe 96 1928 4548 WerFault.exe 109 380 4760 WerFault.exe 106 4292 4224 WerFault.exe 118 2768 4064 WerFault.exe 115 1272 2272 WerFault.exe 126 2556 3932 WerFault.exe 124 4064 2768 WerFault.exe 133 3060 3196 WerFault.exe 141 4256 4516 WerFault.exe 139 5116 1780 WerFault.exe 149 3148 2824 WerFault.exe 147 2168 4400 WerFault.exe 155 4792 4416 WerFault.exe 162 4884 3984 WerFault.exe 160 4960 1868 WerFault.exe 170 2156 3356 WerFault.exe 168 4336 3980 WerFault.exe 178 1160 3588 WerFault.exe 176 4084 740 WerFault.exe 186 4824 872 WerFault.exe 184 4360 3596 WerFault.exe 194 1728 3092 WerFault.exe 192 1328 1816 WerFault.exe 200 5016 3160 WerFault.exe 206 552 1360 WerFault.exe 213 4516 3896 WerFault.exe 211 2072 2196 WerFault.exe 219 3192 3580 WerFault.exe 226 1792 3108 WerFault.exe 224 4548 3736 WerFault.exe 234 2304 1436 WerFault.exe 232 1928 1744 WerFault.exe 240 2784 3916 WerFault.exe 247 884 4804 WerFault.exe 245 3260 3628 WerFault.exe 253 4864 1544 WerFault.exe 260 3636 3028 WerFault.exe 258 3044 3928 WerFault.exe 267 5004 4032 WerFault.exe 264 456 4396 WerFault.exe 272 2140 2572 WerFault.exe 279 1816 4756 WerFault.exe 286 1156 1160 WerFault.exe 284 3732 3800 WerFault.exe 294 1816 2484 WerFault.exe 292 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1722984668-1829624581-3022101259-1000\{D6B89F54-25DA-43E6-BF31-96003D1D427B} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots WerFault.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1722984668-1829624581-3022101259-1000\{97A3D5D3-7E99-4F81-9DF4-0A009D32273A} explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff WerFault.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WerFault.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WerFault.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2304 explorer.exe Token: SeCreatePagefilePrivilege 2304 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe Token: SeShutdownPrivilege 2324 explorer.exe Token: SeCreatePagefilePrivilege 2324 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 2324 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 explorer.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4760 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3528 StartMenuExperienceHost.exe 816 StartMenuExperienceHost.exe 1100 SearchApp.exe 2404 StartMenuExperienceHost.exe 4548 SearchApp.exe 4416 SearchApp.exe 4224 SearchApp.exe 5016 WerFault.exe 2272 SearchApp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7bb35dc4fbeba4d17e509393ad4131f_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\f7bb35dc4fbeba4d17e509393ad4131f_mafia_JC.exe"1⤵PID:3324
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2304 -s 62082⤵
- Program crash
PID:2488
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3528
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 2304 -ip 23041⤵PID:2156
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2324 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2324 -s 74162⤵
- Program crash
PID:4544
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:816
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1100 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1100 -s 39762⤵
- Program crash
PID:5048
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 1100 -ip 11001⤵PID:4152
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 2324 -ip 23241⤵PID:4360
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4760 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4760 -s 49202⤵
- Program crash
PID:380
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2404
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4548 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4548 -s 36082⤵
- Program crash
PID:1928
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 4548 -ip 45481⤵PID:4912
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 4760 -ip 47601⤵PID:1732
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4064
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4064 -s 73242⤵
- Program crash
PID:2768
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4416
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4224 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4224 -s 36322⤵
- Program crash
PID:4292
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 4224 -ip 42241⤵PID:1092
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4064 -ip 40641⤵PID:1152
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:3932 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3932 -s 60282⤵
- Program crash
PID:2556
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2272 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2272 -s 35762⤵
- Program crash
PID:1272
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 2272 -ip 22721⤵PID:4824
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 3932 -ip 39321⤵PID:4624
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:2768 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2768 -s 60162⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Program crash
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4064
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 2768 -ip 27681⤵PID:1336
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4516
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4516 -s 74162⤵
- Program crash
PID:4256
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1864
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3196
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3196 -s 35602⤵
- Program crash
PID:3060
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 548 -p 3196 -ip 31961⤵PID:3984
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 4516 -ip 45161⤵PID:2116
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2824
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2824 -s 57602⤵
- Program crash
PID:3148
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2956
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1780
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1780 -s 36002⤵
- Program crash
PID:5116
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 1780 -ip 17801⤵PID:3776
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 2824 -ip 28241⤵PID:564
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4400
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4400 -s 59202⤵
- Program crash
PID:2168
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4740
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 4400 -ip 44001⤵PID:4128
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3984
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3984 -s 73922⤵
- Program crash
PID:4884
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1264
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4416 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4416 -s 35202⤵
- Program crash
PID:4792
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 4416 -ip 44161⤵PID:4768
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 3984 -ip 39841⤵PID:4732
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3356
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3356 -s 60602⤵
- Program crash
PID:2156
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1100
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1868
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1868 -s 36002⤵
- Program crash
PID:4960
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 1868 -ip 18681⤵PID:3192
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 3356 -ip 33561⤵PID:2044
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3588
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3588 -s 74642⤵
- Program crash
PID:1160
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2236
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3980 -s 35922⤵
- Program crash
PID:4336
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 3980 -ip 39801⤵PID:3044
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 3588 -ip 35881⤵PID:2740
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:872
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 872 -s 11242⤵
- Program crash
PID:4824
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4828
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:740
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 740 -s 35482⤵
- Program crash
PID:4084
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 740 -ip 7401⤵
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4760
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 872 -ip 8721⤵PID:4916
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3092
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3092 -s 72562⤵
- Program crash
PID:1728
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4732
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3596
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3596 -s 35962⤵
- Program crash
PID:4360
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 3596 -ip 35961⤵PID:3824
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 3092 -ip 30921⤵PID:3180
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1816
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1816 -s 73802⤵
- Program crash
PID:1328
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4316
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 1816 -ip 18161⤵PID:4940
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3160
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3160 -s 60442⤵
- Program crash
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4116
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3160 -ip 31601⤵PID:5116
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3896
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3896 -s 74082⤵
- Program crash
PID:4516
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1360
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1360 -s 36082⤵
- Program crash
PID:552
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 1360 -ip 13601⤵PID:3360
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 3896 -ip 38961⤵PID:2728
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2196
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2196 -s 59482⤵
- Program crash
PID:2072
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3004
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 2196 -ip 21961⤵PID:652
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3108
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3108 -s 59002⤵
- Program crash
PID:1792
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4028
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3580
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3580 -s 35322⤵
- Program crash
PID:3192
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3580 -ip 35801⤵PID:924
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 3108 -ip 31081⤵PID:3576
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1436
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1436 -s 61002⤵
- Program crash
PID:2304
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4760
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3736
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3736 -s 36162⤵
- Program crash
PID:4548
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 3736 -ip 37361⤵PID:3560
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 1436 -ip 14361⤵PID:3296
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1744
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1744 -s 60162⤵
- Program crash
PID:1928
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1132
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 1744 -ip 17441⤵PID:3360
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4804
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4804 -s 59202⤵
- Program crash
PID:884
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4960
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3916
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3916 -s 35802⤵
- Program crash
PID:2784
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3916 -ip 39161⤵PID:4628
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 4804 -ip 48041⤵PID:2284
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3628
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3628 -s 60242⤵
- Program crash
PID:3260
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1624
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 3628 -ip 36281⤵PID:4876
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3028
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3028 -s 73562⤵
- Program crash
PID:3636
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:352
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1544
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1544 -s 35882⤵
- Program crash
PID:4864
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 1544 -ip 15441⤵PID:3728
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4032
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4032 -s 39522⤵
- Program crash
PID:5004
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 3028 -ip 30281⤵PID:3396
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3928
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3928 -s 60202⤵
- Program crash
PID:3044
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3792
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3928 -ip 39281⤵PID:2572
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4396
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4396 -s 36402⤵
- Program crash
PID:456
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4940
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 4032 -ip 40321⤵PID:4232
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 4396 -ip 43961⤵PID:1492
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2572
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2572 -s 60722⤵
- Program crash
PID:2140
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:744
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 2572 -ip 25721⤵PID:556
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1160
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1160 -s 57922⤵
- Program crash
PID:1156
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4756
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4756 -s 35242⤵
- Program crash
PID:1816
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 4756 -ip 47561⤵PID:4288
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 1160 -ip 11601⤵PID:4128
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2484
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2484 -s 57802⤵
- Program crash
PID:1816
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1252
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3800
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3800 -s 35442⤵
- Program crash
PID:3732
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 3800 -ip 38001⤵PID:3228
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 2484 -ip 24841⤵PID:4636
Network
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.131.241.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.3.197.209.in-addr.arpaIN PTRResponse8.3.197.209.in-addr.arpaIN PTRvip0x008map2sslhwcdnnet
-
Remote address:8.8.8.8:53Request73.254.224.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request226.162.46.104.in-addr.arpaIN PTRResponse
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.131.241.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
208.194.73.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 111 B 1 1
DNS Request
8.3.197.209.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.254.224.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
226.162.46.104.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize1KB
MD5a8aa1c60d38c789a67a56dbc3d648f65
SHA17e599999f77cff90f3d310d98ba64617ff7bc94b
SHA2565439433c8562a4ccaa0f46bff247912e496dbcaee4a90e760320c321c067304b
SHA5129466d8644bb11ad63942ffd43ee1b72241379a48b82e083960f627f32cf40943d209c5744e2eec810147547f853b6d678d88fceffffb74340ea2a9e19568d2f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize404B
MD519a893a517349ae49ae401275159935f
SHA11d7609dd94d13c07afd21f5d0e0f37a5bc1daa0a
SHA256386c11a2912733f43f4d38184beecac7ce97e61b457ebdffcc2b6eea20ac4b59
SHA51231769d87f58b310e5d5c511e6c31dd0eb613978fb66ad3a7f841829c548bb2e1dd9e408dd2ab89bca28794812d98bab69f3343b654a521bcd2652e7bb45e5c0f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}
Filesize36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml
Filesize97B
MD5402e0c5b12db3a5ffb0bece9995d459b
SHA1f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA2566272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA5125caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2