b58b37f1c254b94c3ef95937f76ab5994b42a4791ab7e1ded9346a487a69e558

Analysis

max time kernel
25s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2023, 16:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a9e2f4fb2766864c98320f82f7f571b_mafia_JC.exe
Size

1.6MB
MD5

5a9e2f4fb2766864c98320f82f7f571b
SHA1

0984443af19221ed1b3f505e0a4275b032df7a3a
SHA256

b58b37f1c254b94c3ef95937f76ab5994b42a4791ab7e1ded9346a487a69e558
SHA512

ec945b3146ce5ea6acff84766c84675a42b86605955e4a2bc7d55577ddf8ea138112cc90982b8bfc6afe0dd8182a469c3015113a85858faf998c9613a500598f
SSDEEP

49152:2ECbcKStP1hJ8NB0yd5D2dJd/9l63ANkTTlP:2ETKStP1hJ8Ia3AMh

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 48 IoCs

pid	pid_target	Process	procid_target
2928	4112	WerFault.exe	86
4636	396	WerFault.exe	95
2660	704	WerFault.exe	104
2472	448	WerFault.exe	102
2560	1304	WerFault.exe	110
3856	4252	WerFault.exe	115
3924	3580	WerFault.exe	122
3364	3448	WerFault.exe	120
1528	3984	WerFault.exe	131
1800	2968	WerFault.exe	128
4664	2472	WerFault.exe	137
1068	2700	WerFault.exe	144
4228	2024	WerFault.exe	142
1204	100	WerFault.exe	150
1540	5052	WerFault.exe	157
5072	4020	WerFault.exe	155
3412	1204	WerFault.exe	163
880	2328	WerFault.exe	170
1232	1512	WerFault.exe	168
232	4112	WerFault.exe	178
5080	3660	WerFault.exe	176
4468	1928	WerFault.exe	184
4664	592	WerFault.exe	191
4848	4552	WerFault.exe	189
1456	2252	WerFault.exe	199
3816	4024	WerFault.exe	197
3876	4068	WerFault.exe	207
4636	4404	WerFault.exe	205
1632	3484	WerFault.exe	215
324	3660	WerFault.exe	213
4776	980	WerFault.exe	221
4228	3308	WerFault.exe	228
5044	3440	WerFault.exe	226
1460	3080	WerFault.exe	234
1664	704	WerFault.exe	239
1376	2248	WerFault.exe	246
2728	2356	WerFault.exe	244
3052	1664	WerFault.exe	254
4376	2868	WerFault.exe	252
3820	4160	WerFault.exe	262
1204	4472	WerFault.exe	260
3848	4384	WerFault.exe	268
4044	4916	WerFault.exe	271
3624	3272	WerFault.exe	274
324	4892	WerFault.exe	281
988	3352	WerFault.exe	288
3228	2980	WerFault.exe	286
3492	3788	WerFault.exe	296

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{58E79CFA-D052-4285-ACBD-0245C672EE85}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{2B798582-A397-4C7C-AF53-940BA54F7CA5}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{3272E058-1887-4245-A422-59BB2FB5CBCF}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{4B12CCF2-9DAB-4187-B79E-444685BC04F6}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{5D0C1E1B-4FC7-4BDC-BE75-8835E32C387D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	396	explorer.exe
Token: SeCreatePagefilePrivilege	396	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe
Token: SeShutdownPrivilege	448	explorer.exe
Token: SeCreatePagefilePrivilege	448	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
1304	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4704	StartMenuExperienceHost.exe
456	StartMenuExperienceHost.exe
3376	StartMenuExperienceHost.exe
704	SearchApp.exe
3620	StartMenuExperienceHost.exe
2028	StartMenuExperienceHost.exe
2972	StartMenuExperienceHost.exe
3580	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5a9e2f4fb2766864c98320f82f7f571b_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5a9e2f4fb2766864c98320f82f7f571b_mafia_JC.exe"
1⤵
PID:208

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4112 -s 6256
  2⤵
  - Program crash
  PID:2928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 4112 -ip 4112
1⤵
PID:4772

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 396 -s 5688
  2⤵
  - Program crash
  PID:4636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 396 -ip 396
1⤵
PID:3292

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 448 -s 7452
  2⤵
  - Program crash
  PID:2472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:704
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 704 -s 2784
  2⤵
  - Program crash
  PID:2660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 704 -ip 704
1⤵
PID:4992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 448 -ip 448
1⤵
PID:4892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1304 -s 5964
  2⤵
  - Program crash
  PID:2560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 1304 -ip 1304
1⤵
PID:4228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4252 -s 6064
  2⤵
  - Program crash
  PID:3856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4252 -ip 4252
1⤵
PID:4328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:3448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3448 -s 5464
  2⤵
  - Program crash
  PID:3364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3580 -s 3508
  2⤵
  - Program crash
  PID:3924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3580 -ip 3580
1⤵
PID:3836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3448 -ip 3448
1⤵
PID:5016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2968 -s 5928
  2⤵
  - Program crash
  PID:1800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3984 -s 3600
  2⤵
  - Program crash
  PID:1528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3984 -ip 3984
1⤵
PID:2912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2968 -ip 2968
1⤵
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2472
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2472 -s 5844
  2⤵
  - Program crash
  PID:4664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2472 -ip 2472
1⤵
PID:4920

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2024 -s 7332
  2⤵
  - Program crash
  PID:4228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2700 -s 3588
  2⤵
  - Program crash
  PID:1068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 2700 -ip 2700
1⤵
PID:944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 2024 -ip 2024
1⤵
PID:2256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 100 -s 5752
  2⤵
  - Program crash
  PID:1204

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 100 -ip 100
1⤵
PID:2860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4020 -s 7384
  2⤵
  - Program crash
  PID:5072

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5052 -s 3576
  2⤵
  - Program crash
  PID:1540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 5052 -ip 5052
1⤵
PID:4104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 4020 -ip 4020
1⤵
PID:1828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1204
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1204 -s 6060
  2⤵
  - Program crash
  PID:3412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1204 -ip 1204
1⤵
PID:3452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1512 -s 6060
  2⤵
  - Program crash
  PID:1232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2328 -s 3580
  2⤵
  - Program crash
  PID:880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2328 -ip 2328
1⤵
PID:3296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 1512 -ip 1512
1⤵
PID:3288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3660 -s 7412
  2⤵
  - Program crash
  PID:5080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4980

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4112 -s 3544
  2⤵
  - Program crash
  PID:232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4112 -ip 4112
1⤵
PID:3688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3660 -ip 3660
1⤵
PID:3872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1928 -s 5944
  2⤵
  - Program crash
  PID:4468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 1928 -ip 1928
1⤵
PID:3664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4552 -s 7376
  2⤵
  - Program crash
  PID:4848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:592
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 592 -s 3564
  2⤵
  - Program crash
  PID:4664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 592 -ip 592
1⤵
PID:4644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 4552 -ip 4552
1⤵
PID:2328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4024 -s 5928
  2⤵
  - Program crash
  PID:3816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2252 -s 3532
  2⤵
  - Program crash
  PID:1456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2252 -ip 2252
1⤵
PID:3208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4024 -ip 4024
1⤵
PID:4384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4404
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4404 -s 6056
  2⤵
  - Program crash
  PID:4636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4068 -s 3568
  2⤵
  - Program crash
  PID:3876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4068 -ip 4068
1⤵
PID:4672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4404 -ip 4404
1⤵
PID:2960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3660 -s 7476
  2⤵
  - Program crash
  PID:324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3484 -s 3568
  2⤵
  - Program crash
  PID:1632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3484 -ip 3484
1⤵
PID:5108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 3660 -ip 3660
1⤵
PID:4372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 980 -s 6016
  2⤵
  - Program crash
  PID:4776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 980 -ip 980
1⤵
PID:4436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3440
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3440 -s 4120
  2⤵
  - Program crash
  PID:5044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3308 -s 3600
  2⤵
  - Program crash
  PID:4228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3308 -ip 3308
1⤵
PID:4504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3440 -ip 3440
1⤵
PID:768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3080 -s 5896
  2⤵
  - Program crash
  PID:1460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 3080 -ip 3080
1⤵
PID:4320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:704
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 704 -s 4912
  2⤵
  - Program crash
  PID:1664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 704 -ip 704
1⤵
PID:2928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2356 -s 5948
  2⤵
  - Program crash
  PID:2728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2248 -s 3580
  2⤵
  - Program crash
  PID:1376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2248 -ip 2248
1⤵
PID:4664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2356 -ip 2356
1⤵
PID:1616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2868
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2868 -s 5488
  2⤵
  - Program crash
  PID:4376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1664 -s 3580
  2⤵
  - Program crash
  PID:3052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1664 -ip 1664
1⤵
PID:4952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 2868 -ip 2868
1⤵
PID:1108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4472
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4472 -s 7436
  2⤵
  - Program crash
  PID:1204

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4160 -s 3580
  2⤵
  - Program crash
  PID:3820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 4160 -ip 4160
1⤵
PID:4896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4472 -ip 4472
1⤵
PID:4684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4384 -s 5876
  2⤵
  - Program crash
  PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4916 -s 3964
  2⤵
  - Program crash
  PID:4044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4384 -ip 4384
1⤵
PID:2988

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3272 -s 7600
  2⤵
  - Program crash
  PID:3624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 4916 -ip 4916
1⤵
PID:1776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3272 -ip 3272
1⤵
PID:3316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4892 -s 5892
  2⤵
  - Program crash
  PID:324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 4892 -ip 4892
1⤵
PID:4992

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2980 -s 7332
  2⤵
  - Program crash
  PID:3228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3352 -s 3560
  2⤵
  - Program crash
  PID:988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 3352 -ip 3352
1⤵
PID:1320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2980 -ip 2980
1⤵
PID:4968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3788 -s 3548
  2⤵
  - Program crash
  PID:3492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3788 -ip 3788
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
44b9c7518ed64789ca01662914e1f833

SHA1
26e134466ec905cda39c95160aeddb04eab62b71

SHA256
bfdf09257832ff0209b1735ced91f5a98965b950549369e456b8067ad90b6bfd

SHA512
470cf875df0468f394f11bf1e86a912ff4d462f22b03de6be776291547d1ace012062979ec96990843a008fb3257ccd6451003cec8e9efcd257805b2406cdb75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
c2503f2c4cc7110f42416eb64b1454be

SHA1
3b5e858ca40706ac9763348165a72ef9b0b8f663

SHA256
33d86677f1a3afbca0d582d62fd528eb55ac939f7005dea48a9efbc8b1dd9e2e

SHA512
313a159969e0326b72ae00f19bf611f46823c7120c0f1d80e102355c378f5af2332f8ba8a2eca956c6f96ffb85f07d1b7f4348ae1ed9985739c2c792851cc95f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
memory/448-141-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/592-306-0x00000173155D0000-0x00000173155F0000-memory.dmp

Filesize
128KB

Download
memory/592-312-0x00000173159A0000-0x00000173159C0000-memory.dmp

Filesize
128KB

Download
memory/592-308-0x0000017315590000-0x00000173155B0000-memory.dmp

Filesize
128KB

Download
memory/704-153-0x0000028DE1AB0000-0x0000028DE1AD0000-memory.dmp

Filesize
128KB

Download
memory/704-150-0x0000028DE13A0000-0x0000028DE13C0000-memory.dmp

Filesize
128KB

Download
memory/704-148-0x0000028DE13E0000-0x0000028DE1400000-memory.dmp

Filesize
128KB

Download
memory/1512-256-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1664-440-0x0000026DDFB40000-0x0000026DDFB60000-memory.dmp

Filesize
128KB

Download
memory/1664-444-0x0000026DDFF10000-0x0000026DDFF30000-memory.dmp

Filesize
128KB

Download
memory/1664-442-0x0000026DDFB00000-0x0000026DDFB20000-memory.dmp

Filesize
128KB

Download
memory/2024-208-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2248-424-0x000002456B9A0000-0x000002456B9C0000-memory.dmp

Filesize
128KB

Download
memory/2248-419-0x000002456B590000-0x000002456B5B0000-memory.dmp

Filesize
128KB

Download
memory/2248-417-0x000002456B5D0000-0x000002456B5F0000-memory.dmp

Filesize
128KB

Download
memory/2252-328-0x000001C5DDB30000-0x000001C5DDB50000-memory.dmp

Filesize
128KB

Download
memory/2252-325-0x000001C5DDB70000-0x000001C5DDB90000-memory.dmp

Filesize
128KB

Download
memory/2252-331-0x000001C5DDF40000-0x000001C5DDF60000-memory.dmp

Filesize
128KB

Download
memory/2328-264-0x0000023494CF0000-0x0000023494D10000-memory.dmp

Filesize
128KB

Download
memory/2328-268-0x0000023C962C0000-0x0000023C962E0000-memory.dmp

Filesize
128KB

Download
memory/2328-266-0x0000023494CB0000-0x0000023494CD0000-memory.dmp

Filesize
128KB

Download
memory/2356-410-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2700-218-0x0000022F6EE20000-0x0000022F6EE40000-memory.dmp

Filesize
128KB

Download
memory/2700-220-0x0000022F6F230000-0x0000022F6F250000-memory.dmp

Filesize
128KB

Download
memory/2700-216-0x0000022F6EE60000-0x0000022F6EE80000-memory.dmp

Filesize
128KB

Download
memory/2868-432-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

Filesize
4KB

Download
memory/2968-185-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3272-480-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/3308-397-0x0000020A66C80000-0x0000020A66CA0000-memory.dmp

Filesize
128KB

Download
memory/3308-394-0x0000020A66870000-0x0000020A66890000-memory.dmp

Filesize
128KB

Download
memory/3308-392-0x0000020A668B0000-0x0000020A668D0000-memory.dmp

Filesize
128KB

Download
memory/3440-385-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3448-165-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/3484-368-0x0000011679320000-0x0000011679340000-memory.dmp

Filesize
128KB

Download
memory/3484-372-0x00000116796F0000-0x0000011679710000-memory.dmp

Filesize
128KB

Download
memory/3484-370-0x0000011678FE0000-0x0000011679000000-memory.dmp

Filesize
128KB

Download
memory/3580-175-0x000001C008FE0000-0x000001C009000000-memory.dmp

Filesize
128KB

Download
memory/3580-173-0x000001C009320000-0x000001C009340000-memory.dmp

Filesize
128KB

Download
memory/3580-178-0x000001C0096F0000-0x000001C009710000-memory.dmp

Filesize
128KB

Download
memory/3660-279-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/3660-360-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/3984-192-0x000001E1CD820000-0x000001E1CD840000-memory.dmp

Filesize
128KB

Download
memory/3984-195-0x000001E1CD5E0000-0x000001E1CD600000-memory.dmp

Filesize
128KB

Download
memory/3984-197-0x000001E1CDBF0000-0x000001E1CDC10000-memory.dmp

Filesize
128KB

Download
memory/4020-232-0x0000000003940000-0x0000000003941000-memory.dmp

Filesize
4KB

Download
memory/4024-318-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/4068-345-0x0000018006CF0000-0x0000018006D10000-memory.dmp

Filesize
128KB

Download
memory/4068-348-0x0000018006CB0000-0x0000018006CD0000-memory.dmp

Filesize
128KB

Download
memory/4068-352-0x00000180072C0000-0x00000180072E0000-memory.dmp

Filesize
128KB

Download
memory/4112-293-0x0000026D2B430000-0x0000026D2B450000-memory.dmp

Filesize
128KB

Download
memory/4112-290-0x0000026D2B020000-0x0000026D2B040000-memory.dmp

Filesize
128KB

Download
memory/4112-287-0x0000026D2B060000-0x0000026D2B080000-memory.dmp

Filesize
128KB

Download
memory/4160-467-0x000002136B3C0000-0x000002136B3E0000-memory.dmp

Filesize
128KB

Download
memory/4160-465-0x000002136ADB0000-0x000002136ADD0000-memory.dmp

Filesize
128KB

Download
memory/4160-463-0x000002136B000000-0x000002136B020000-memory.dmp

Filesize
128KB

Download
memory/4404-337-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4472-455-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/4552-300-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4916-486-0x000001DCCBBA0000-0x000001DCCBBC0000-memory.dmp

Filesize
128KB

Download
memory/4916-488-0x000001DCCBB60000-0x000001DCCBB80000-memory.dmp

Filesize
128KB

Download
memory/4916-490-0x000001DCCBF70000-0x000001DCCBF90000-memory.dmp

Filesize
128KB

Download
memory/5052-240-0x000002027A300000-0x000002027A320000-memory.dmp

Filesize
128KB

Download
memory/5052-244-0x000002027A6D0000-0x000002027A6F0000-memory.dmp

Filesize
128KB

Download
memory/5052-242-0x0000020279FC0000-0x0000020279FE0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads