7b98a9da9c9adbfe77564355b111adfda35ff75f013f99bd9c24c07ad95ebc53

Analysis

max time kernel
30s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb84e0c2c96aff60ff538f18f4500416_mafia_JC.exe
Size

3.1MB
MD5

fb84e0c2c96aff60ff538f18f4500416
SHA1

14cc0db7b225b4b1a23b2e5ecc56482aa2c3e31a
SHA256

7b98a9da9c9adbfe77564355b111adfda35ff75f013f99bd9c24c07ad95ebc53
SHA512

136e3e331e36c8f898cf019cc21fb34f0af71537cab150e4c43d450352e3b2cca5c8ef877719ebd4fde6f7dd7b38a75485156ff23542a89f4e8bf7f291f9530c
SSDEEP

49152:09yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTlYaamUR5p:bJ5rFwnApezgOS9V3AMZap

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 46 IoCs

pid	pid_target	Process	procid_target
1636	1272	WerFault.exe	85
1976	3080	WerFault.exe	93
4620	3112	WerFault.exe	98
688	1600	WerFault.exe	106
2844	4772	WerFault.exe	104
3424	2896	WerFault.exe	116
1644	2996	WerFault.exe	113
2016	3420	WerFault.exe	122
2148	2704	WerFault.exe	131
2324	5004	WerFault.exe	128
3532	2968	WerFault.exe	139
4652	2132	WerFault.exe	137
1836	3380	WerFault.exe	147
2012	824	WerFault.exe	145
1080	3616	WerFault.exe	155
596	1808	WerFault.exe	153
1016	3952	WerFault.exe	163
4852	2704	WerFault.exe	161
5028	3640	WerFault.exe	171
1940	1176	WerFault.exe	169
824	4744	WerFault.exe	178
4076	1800	WerFault.exe	185
4484	2520	WerFault.exe	183
5040	2908	WerFault.exe	191
4136	564	WerFault.exe	198
3976	4280	WerFault.exe	196
3428	472	WerFault.exe	206
4012	4620	WerFault.exe	204
4920	456	WerFault.exe	214
1172	1504	WerFault.exe	212
1408	3108	WerFault.exe	222
4428	3188	WerFault.exe	220
4144	240	WerFault.exe	230
3344	2292	WerFault.exe	228
1832	1884	WerFault.exe	238
1148	3484	WerFault.exe	236
5084	1264	WerFault.exe	246
4376	1876	WerFault.exe	244
4300	1148	WerFault.exe	254
1172	4148	WerFault.exe	252
948	3180	WerFault.exe	261
3600	1180	WerFault.exe	260
460	1352	WerFault.exe	270
3048	1412	WerFault.exe	268
1668	64	WerFault.exe	276
4088	5056	WerFault.exe	283

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{01061F3C-4927-457C-BE3D-E6BAE525F631}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{59AB6BB0-9E98-48E2-BCEF-A97B94C9D0F1}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	WerFault.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{A847B50B-5A55-4909-B8C0-501D9097A158}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{C103CEC7-9AB2-4586-B759-1D628EEEB386}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{852A405B-0132-495D-856A-C92C28A455FA}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{99720830-525E-49DF-AEF1-0FC5839DF0DD}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{FD881230-B9A3-46FE-8C93-60669EE9DB35}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	1272	explorer.exe
Token: SeCreatePagefilePrivilege	1272	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3080	explorer.exe
Token: SeCreatePagefilePrivilege	3080	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	3112	explorer.exe
Token: SeCreatePagefilePrivilege	3112	explorer.exe
Token: SeShutdownPrivilege	4772	explorer.exe
Token: SeCreatePagefilePrivilege	4772	explorer.exe
Token: SeShutdownPrivilege	4772	explorer.exe
Token: SeCreatePagefilePrivilege	4772	explorer.exe
Token: SeShutdownPrivilege	4772	explorer.exe
Token: SeCreatePagefilePrivilege	4772	explorer.exe
Token: SeShutdownPrivilege	4772	explorer.exe
Token: SeCreatePagefilePrivilege	4772	explorer.exe
Token: SeShutdownPrivilege	4772	explorer.exe
Token: SeCreatePagefilePrivilege	4772	explorer.exe
Token: SeShutdownPrivilege	4772	explorer.exe
Token: SeCreatePagefilePrivilege	4772	explorer.exe
Token: SeShutdownPrivilege	4772	explorer.exe
Token: SeCreatePagefilePrivilege	4772	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
1272	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
3112	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3588	StartMenuExperienceHost.exe
2676	StartMenuExperienceHost.exe
2416	StartMenuExperienceHost.exe
1600	WerFault.exe
4172	StartMenuExperienceHost.exe
2896	SearchApp.exe
4660	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\fb84e0c2c96aff60ff538f18f4500416_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fb84e0c2c96aff60ff538f18f4500416_mafia_JC.exe"
1⤵
PID:4412

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1272 -s 6228
  2⤵
  - Program crash
  PID:1636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1272 -ip 1272
1⤵
PID:4772

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3080 -s 5888
  2⤵
  - Program crash
  PID:1976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 3080 -ip 3080
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3112 -s 6056
  2⤵
  - Program crash
  PID:4620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3112 -ip 3112
1⤵
PID:1348

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4772
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4772 -s 7544
  2⤵
  - Program crash
  PID:2844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1600 -s 3612
  2⤵
  - Program crash
  PID:688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1600 -ip 1600
1⤵
PID:4736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4772 -ip 4772
1⤵
PID:3464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2996 -s 7436
  2⤵
  - Program crash
  PID:1644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2896 -s 3568
  2⤵
  - Program crash
  PID:3424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2896 -ip 2896
1⤵
PID:3324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2996 -ip 2996
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:3420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3420 -s 5320
  2⤵
  - Program crash
  PID:2016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3420 -ip 3420
1⤵
PID:4452

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:5004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5004 -s 5924
  2⤵
  - Program crash
  PID:2324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2704
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2704 -s 3628
  2⤵
  - Program crash
  PID:2148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 2704 -ip 2704
1⤵
PID:4296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 5004 -ip 5004
1⤵
PID:4592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2132 -s 5800
  2⤵
  - Program crash
  PID:4652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3360

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2968 -s 3540
  2⤵
  - Program crash
  PID:3532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 2968 -ip 2968
1⤵
PID:2728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 2132 -ip 2132
1⤵
PID:4740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 824 -s 6544
  2⤵
  - Program crash
  PID:2012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:572

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3380
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3380 -s 3620
  2⤵
  - Program crash
  PID:1836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3380 -ip 3380
1⤵
PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 824 -ip 824
1⤵
PID:2372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1808 -s 6076
  2⤵
  - Program crash
  PID:596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3616
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3616 -s 3572
  2⤵
  - Program crash
  PID:1080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3616 -ip 3616
1⤵
PID:3164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1808 -ip 1808
1⤵
PID:4752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2704
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2704 -s 5892
  2⤵
  - Program crash
  PID:4852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3952 -s 3592
  2⤵
  - Program crash
  PID:1016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3952 -ip 3952
1⤵
PID:4088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2704 -ip 2704
1⤵
PID:560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1176
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1176 -s 7472
  2⤵
  - Program crash
  PID:1940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3640 -s 3588
  2⤵
  - Program crash
  PID:5028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3640 -ip 3640
1⤵
PID:3384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 1176 -ip 1176
1⤵
PID:3884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4744 -s 6200
  2⤵
  - Program crash
  PID:824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 4744 -ip 4744
1⤵
PID:4740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2520 -s 6076
  2⤵
  - Program crash
  PID:4484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1648

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1800 -s 3552
  2⤵
  - Program crash
  PID:4076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1800 -ip 1800
1⤵
PID:496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 2520 -ip 2520
1⤵
PID:1892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2908
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2908 -s 5972
  2⤵
  - Program crash
  PID:5040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2908 -ip 2908
1⤵
PID:860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4280 -s 7372
  2⤵
  - Program crash
  PID:3976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:60

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:564
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 564 -s 3620
  2⤵
  - Program crash
  PID:4136

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 564 -ip 564
1⤵
PID:3912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4280 -ip 4280
1⤵
PID:2728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4620 -s 3452
  2⤵
  - Program crash
  PID:4012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:472
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 472 -s 3596
  2⤵
  - Program crash
  PID:3428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 472 -ip 472
1⤵
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 4620 -ip 4620
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1504 -s 4756
  2⤵
  - Program crash
  PID:1172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 456 -s 3628
  2⤵
  - Program crash
  PID:4920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 456 -ip 456
1⤵
PID:4736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1504 -ip 1504
1⤵
PID:3044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3188
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3188 -s 7372
  2⤵
  - Program crash
  PID:4428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3108 -s 3560
  2⤵
  - Program crash
  PID:1408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3108 -ip 3108
1⤵
PID:2204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 3188 -ip 3188
1⤵
PID:1968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2292 -s 7512
  2⤵
  - Program crash
  PID:3344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 240 -s 3532
  2⤵
  - Program crash
  PID:4144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 240 -ip 240
1⤵
PID:3644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2292 -ip 2292
1⤵
PID:2768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3484 -s 3424
  2⤵
  - Program crash
  PID:1148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1884 -s 3560
  2⤵
  - Program crash
  PID:1832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1884 -ip 1884
1⤵
PID:4904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3484 -ip 3484
1⤵
PID:3916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1876 -s 5944
  2⤵
  - Program crash
  PID:4376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1264
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1264 -s 3536
  2⤵
  - Program crash
  PID:5084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1264 -ip 1264
1⤵
PID:4744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 1876 -ip 1876
1⤵
PID:4756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4148 -s 5940
  2⤵
  - Program crash
  PID:1172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1148 -s 3596
  2⤵
  - Program crash
  PID:4300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1148 -ip 1148
1⤵
PID:3912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 4148 -ip 4148
1⤵
PID:960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1180 -s 5736
  2⤵
  - Program crash
  PID:3600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3180 -s 4020
  2⤵
  - Program crash
  PID:948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3180 -ip 3180
1⤵
PID:1980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1180 -ip 1180
1⤵
PID:4300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1412 -s 6028
  2⤵
  - Program crash
  PID:3048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1352 -s 3516
  2⤵
  - Program crash
  PID:460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1352 -ip 1352
1⤵
PID:980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 1412 -ip 1412
1⤵
PID:1436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:64
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 64 -s 5980
  2⤵
  - Program crash
  PID:1668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 64 -ip 64
1⤵
PID:4264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5056 -s 3552
  2⤵
  - Program crash
  PID:4088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 5056 -ip 5056
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
a8aa1c60d38c789a67a56dbc3d648f65

SHA1
7e599999f77cff90f3d310d98ba64617ff7bc94b

SHA256
5439433c8562a4ccaa0f46bff247912e496dbcaee4a90e760320c321c067304b

SHA512
9466d8644bb11ad63942ffd43ee1b72241379a48b82e083960f627f32cf40943d209c5744e2eec810147547f853b6d678d88fceffffb74340ea2a9e19568d2f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
ce5e2e48c0233d0de444c34fc66880a0

SHA1
bb6d0e051fba086af0b434760cd0ad5d3e07eee8

SHA256
d4e813cea7de12f7e3bb357924690cd12cbbac511ff5d2ea6972b6242a539f7f

SHA512
b18f0c7f57591a5167a16f287fdae6b5cb1c9fd25ae3f540f900b0af04e0d01e14dce5b469fafade25f2c1aa329771e39adde3f2a41602147c5e3dac5342aeec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
memory/240-446-0x0000024123700000-0x0000024123720000-memory.dmp

Filesize
128KB

Download
memory/240-449-0x00000241236C0000-0x00000241236E0000-memory.dmp

Filesize
128KB

Download
memory/240-452-0x0000024123CE0000-0x0000024123D00000-memory.dmp

Filesize
128KB

Download
memory/456-402-0x00000167147C0000-0x00000167147E0000-memory.dmp

Filesize
128KB

Download
memory/456-400-0x0000016714A00000-0x0000016714A20000-memory.dmp

Filesize
128KB

Download
memory/456-404-0x0000016714DD0000-0x0000016714DF0000-memory.dmp

Filesize
128KB

Download
memory/472-380-0x000001E71B2C0000-0x000001E71B2E0000-memory.dmp

Filesize
128KB

Download
memory/472-382-0x000001E71B8E0000-0x000001E71B900000-memory.dmp

Filesize
128KB

Download
memory/472-377-0x000001E71B300000-0x000001E71B320000-memory.dmp

Filesize
128KB

Download
memory/564-356-0x0000023577C90000-0x0000023577CB0000-memory.dmp

Filesize
128KB

Download
memory/564-354-0x0000023577CD0000-0x0000023577CF0000-memory.dmp

Filesize
128KB

Download
memory/564-358-0x00000235780A0000-0x00000235780C0000-memory.dmp

Filesize
128KB

Download
memory/824-234-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1176-303-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1264-492-0x000001BD5A2D0000-0x000001BD5A2F0000-memory.dmp

Filesize
128KB

Download
memory/1264-496-0x000001BD5A8A0000-0x000001BD5A8C0000-memory.dmp

Filesize
128KB

Download
memory/1264-494-0x000001BD5A290000-0x000001BD5A2B0000-memory.dmp

Filesize
128KB

Download
memory/1504-392-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1600-149-0x0000026EF9970000-0x0000026EF9990000-memory.dmp

Filesize
128KB

Download
memory/1600-155-0x0000026EF9D40000-0x0000026EF9D60000-memory.dmp

Filesize
128KB

Download
memory/1600-152-0x0000026EF9930000-0x0000026EF9950000-memory.dmp

Filesize
128KB

Download
memory/1800-335-0x000001ECCFEA0000-0x000001ECCFEC0000-memory.dmp

Filesize
128KB

Download
memory/1800-337-0x000001ECCFE60000-0x000001ECCFE80000-memory.dmp

Filesize
128KB

Download
memory/1800-341-0x000001ECD0480000-0x000001ECD04A0000-memory.dmp

Filesize
128KB

Download
memory/1808-257-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1876-484-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/1884-469-0x000002538F2C0000-0x000002538F2E0000-memory.dmp

Filesize
128KB

Download
memory/1884-471-0x000002538F280000-0x000002538F2A0000-memory.dmp

Filesize
128KB

Download
memory/1884-474-0x000002538F690000-0x000002538F6B0000-memory.dmp

Filesize
128KB

Download
memory/2132-211-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/2292-438-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2520-327-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2704-281-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2704-201-0x0000021DD2500000-0x0000021DD2520000-memory.dmp

Filesize
128KB

Download
memory/2704-198-0x0000021DD2100000-0x0000021DD2120000-memory.dmp

Filesize
128KB

Download
memory/2704-196-0x0000021DD2140000-0x0000021DD2160000-memory.dmp

Filesize
128KB

Download
memory/2896-176-0x000002EC3E2E0000-0x000002EC3E300000-memory.dmp

Filesize
128KB

Download
memory/2896-174-0x000002EC3DBD0000-0x000002EC3DBF0000-memory.dmp

Filesize
128KB

Download
memory/2896-172-0x000002EC3DF20000-0x000002EC3DF40000-memory.dmp

Filesize
128KB

Download
memory/2968-221-0x000001961E960000-0x000001961E980000-memory.dmp

Filesize
128KB

Download
memory/2968-219-0x000001961E9A0000-0x000001961E9C0000-memory.dmp

Filesize
128KB

Download
memory/2968-223-0x000001961ED70000-0x000001961ED90000-memory.dmp

Filesize
128KB

Download
memory/2996-164-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3108-423-0x00000207869E0000-0x0000020786A00000-memory.dmp

Filesize
128KB

Download
memory/3108-425-0x00000207869A0000-0x00000207869C0000-memory.dmp

Filesize
128KB

Download
memory/3108-427-0x00000207870B0000-0x00000207870D0000-memory.dmp

Filesize
128KB

Download
memory/3188-415-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/3380-242-0x00000225B7220000-0x00000225B7240000-memory.dmp

Filesize
128KB

Download
memory/3380-244-0x00000225B6FE0000-0x00000225B7000000-memory.dmp

Filesize
128KB

Download
memory/3380-246-0x00000225B75F0000-0x00000225B7610000-memory.dmp

Filesize
128KB

Download
memory/3484-461-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/3616-270-0x000001D8D72E0000-0x000001D8D7300000-memory.dmp

Filesize
128KB

Download
memory/3616-265-0x000001D8D6F20000-0x000001D8D6F40000-memory.dmp

Filesize
128KB

Download
memory/3616-268-0x000001D8D6BD0000-0x000001D8D6BF0000-memory.dmp

Filesize
128KB

Download
memory/3640-316-0x000001D881020000-0x000001D881040000-memory.dmp

Filesize
128KB

Download
memory/3640-311-0x000001D880C60000-0x000001D880C80000-memory.dmp

Filesize
128KB

Download
memory/3640-313-0x000001D880C20000-0x000001D880C40000-memory.dmp

Filesize
128KB

Download
memory/3952-288-0x0000023D74AF0000-0x0000023D74B10000-memory.dmp

Filesize
128KB

Download
memory/3952-290-0x0000023D74AB0000-0x0000023D74AD0000-memory.dmp

Filesize
128KB

Download
memory/3952-292-0x0000023D750C0000-0x0000023D750E0000-memory.dmp

Filesize
128KB

Download
memory/4280-347-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/4620-369-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/4772-142-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/5004-188-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads