e55107428e0b2684be55ed6daea4ecaf1b509f13e689493d1d0dc3b3d42270ba

Analysis

max time kernel
31s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 11:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e55107428e0b2684be55ed6daea4ecaf1b509f13e689493d1d0dc3b3d42270ba.exe
Size

2.7MB
MD5

5f553c408507c482c684f4e5a03bf373
SHA1

2c5cbb0392a4c6d641ea29ee10052ea785adcb8a
SHA256

e55107428e0b2684be55ed6daea4ecaf1b509f13e689493d1d0dc3b3d42270ba
SHA512

0b48d85f2b9bdec0aa1b0144a0492d2ad9ec951025230146cc1daca4a9dda8e29fb118faa2a3ab0a542fe285a27441b837b5668926f91c1ba959d353f1f283e4
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlhkuwAAeDku05o0P5WIBF:Q+8X9G3vP3AMsbAdDkuA55vBF

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 49 IoCs

pid	pid_target	Process	procid_target
4856	3108	WerFault.exe	87
2040	1816	WerFault.exe	100
1076	4240	WerFault.exe	96
3380	3996	WerFault.exe	108
3224	3980	WerFault.exe	106
3392	3460	WerFault.exe	114
3660	2984	WerFault.exe	121
4716	4796	WerFault.exe	119
4272	4068	WerFault.exe	128
4668	1808	WerFault.exe	135
4940	3040	WerFault.exe	133
2872	2512	WerFault.exe	143
3596	4176	WerFault.exe	141
432	5068	WerFault.exe	151
2816	5088	WerFault.exe	149
4584	1384	WerFault.exe	159
1880	4880	WerFault.exe	157
1304	4040	WerFault.exe	165
1076	4028	WerFault.exe	172
4088	3700	WerFault.exe	170
2052	4932	WerFault.exe	180
4192	4652	WerFault.exe	178
4444	3728	WerFault.exe	186
1216	3456	WerFault.exe	193
2468	3376	WerFault.exe	191
3728	4336	WerFault.exe	201
5052	4576	WerFault.exe	199
1008	1876	WerFault.exe	207
3348	3052	WerFault.exe	214
4888	1812	WerFault.exe	212
4244	1416	WerFault.exe	222
3892	3304	WerFault.exe	220
876	3392	WerFault.exe	230
3884	4696	WerFault.exe	228
5024	3892	WerFault.exe	238
4652	3904	WerFault.exe	236
1988	3312	WerFault.exe	246
1708	3360	WerFault.exe	244
4992	368	WerFault.exe	252
1312	4760	WerFault.exe	259
4564	4240	WerFault.exe	257
4916	1552	WerFault.exe	266
1692	4768	WerFault.exe	265
2540	1876	WerFault.exe	275
1652	1324	WerFault.exe	273
3160	2604	WerFault.exe	283
4232	4712	WerFault.exe	281
2536	4948	WerFault.exe	291
2168	2032	WerFault.exe	289

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{6D5C93A9-414C-4416-B5C1-3467DB588309}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{DF5E8BBD-0D0D-483D-AC45-F31E91F566A5}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{BD643128-8C1D-49EE-A16D-9D07F3D51FD8}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	3108	explorer.exe
Token: SeCreatePagefilePrivilege	3108	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	4240	explorer.exe
Token: SeCreatePagefilePrivilege	4240	explorer.exe
Token: SeShutdownPrivilege	3980	explorer.exe
Token: SeCreatePagefilePrivilege	3980	explorer.exe
Token: SeShutdownPrivilege	3980	explorer.exe
Token: SeCreatePagefilePrivilege	3980	explorer.exe
Token: SeShutdownPrivilege	3980	explorer.exe
Token: SeCreatePagefilePrivilege	3980	explorer.exe
Token: SeShutdownPrivilege	3980	explorer.exe
Token: SeCreatePagefilePrivilege	3980	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
4240	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
876	StartMenuExperienceHost.exe
4584	StartMenuExperienceHost.exe
1816	SearchApp.exe
1396	StartMenuExperienceHost.exe
3996	SearchApp.exe
3828	StartMenuExperienceHost.exe
3096	StartMenuExperienceHost.exe
2984	Process not Found

C:\Users\Admin\AppData\Local\Temp\e55107428e0b2684be55ed6daea4ecaf1b509f13e689493d1d0dc3b3d42270ba.exe
"C:\Users\Admin\AppData\Local\Temp\e55107428e0b2684be55ed6daea4ecaf1b509f13e689493d1d0dc3b3d42270ba.exe"
1⤵
PID:2024

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3108 -s 6216
  2⤵
  - Program crash
  PID:4856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3108 -ip 3108
1⤵
PID:5108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4240 -s 7304
  2⤵
  - Program crash
  PID:1076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1816 -s 3944
  2⤵
  - Program crash
  PID:2040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1816 -ip 1816
1⤵
PID:4668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4240 -ip 4240
1⤵
PID:4564

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3980 -s 7420
  2⤵
  - Program crash
  PID:3224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3996 -s 3552
  2⤵
  - Program crash
  PID:3380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3996 -ip 3996
1⤵
PID:3532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3980 -ip 3980
1⤵
PID:3556

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3460 -s 5928
  2⤵
  - Program crash
  PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3460 -ip 3460
1⤵
PID:3800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4796 -s 5800
  2⤵
  - Program crash
  PID:4716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2984 -s 3548
  2⤵
  - Program crash
  PID:3660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2984 -ip 2984
1⤵
PID:3140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4796 -ip 4796
1⤵
PID:4464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
PID:4068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4068 -s 6100
  2⤵
  - Program crash
  PID:4272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 4068 -ip 4068
1⤵
PID:4904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3040 -s 7336
  2⤵
  - Program crash
  PID:4940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1808 -s 3592
  2⤵
  - Program crash
  PID:4668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1808 -ip 1808
1⤵
PID:4652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3040 -ip 3040
1⤵
PID:3360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4176
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4176 -s 5220
  2⤵
  - Program crash
  PID:3596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2512 -s 3504
  2⤵
  - Program crash
  PID:2872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2512 -ip 2512
1⤵
PID:1568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4176 -ip 4176
1⤵
PID:4756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5088
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5088 -s 7452
  2⤵
  - Program crash
  PID:2816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5068 -s 3552
  2⤵
  - Program crash
  PID:432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 5068 -ip 5068
1⤵
PID:4688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 5088 -ip 5088
1⤵
PID:4956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4880 -s 5900
  2⤵
  - Program crash
  PID:1880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1384 -s 3604
  2⤵
  - Program crash
  PID:4584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1384 -ip 1384
1⤵
PID:4012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4880 -ip 4880
1⤵
PID:3632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4040 -s 5916
  2⤵
  - Program crash
  PID:1304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4040 -ip 4040
1⤵
PID:3152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3700 -s 7468
  2⤵
  - Program crash
  PID:4088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4028 -s 3520
  2⤵
  - Program crash
  PID:1076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4028 -ip 4028
1⤵
PID:4540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3700 -ip 3700
1⤵
PID:3924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4652 -s 3488
  2⤵
  - Program crash
  PID:4192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4932 -s 3576
  2⤵
  - Program crash
  PID:2052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4932 -ip 4932
1⤵
PID:3712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4652 -ip 4652
1⤵
PID:5080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3728 -s 5972
  2⤵
  - Program crash
  PID:4444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3728 -ip 3728
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4796

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3376 -s 7544
  2⤵
  - Program crash
  PID:2468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2168

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3456 -s 3580
  2⤵
  - Program crash
  PID:1216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 3456 -ip 3456
1⤵
PID:4884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 3376 -ip 3376
1⤵
PID:3372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4576
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4576 -s 7460
  2⤵
  - Program crash
  PID:5052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4336
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4336 -s 3588
  2⤵
  - Program crash
  PID:3728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 4336 -ip 4336
1⤵
PID:3616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 4576 -ip 4576
1⤵
PID:1708

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1876 -s 5828
  2⤵
  - Program crash
  PID:1008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 1876 -ip 1876
1⤵
PID:3260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1812 -s 5360
  2⤵
  - Program crash
  PID:4888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3052 -s 3612
  2⤵
  - Program crash
  PID:3348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 3052 -ip 3052
1⤵
PID:1324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 1812 -ip 1812
1⤵
PID:488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 3816
  2⤵
  - Program crash
  PID:3892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1416 -s 3548
  2⤵
  - Program crash
  PID:4244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 1416 -ip 1416
1⤵
PID:3996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 3304 -ip 3304
1⤵
PID:2524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4696 -s 7564
  2⤵
  - Program crash
  PID:3884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1524

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3392 -s 3444
  2⤵
  - Program crash
  PID:876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 696 -p 3392 -ip 3392
1⤵
PID:3232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 712 -p 4696 -ip 4696
1⤵
PID:4344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3904 -s 1864
  2⤵
  - Program crash
  PID:4652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3892 -s 3564
  2⤵
  - Program crash
  PID:5024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 692 -p 3892 -ip 3892
1⤵
PID:4540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 3904 -ip 3904
1⤵
PID:772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3360 -s 5916
  2⤵
  - Program crash
  PID:1708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3312 -s 3620
  2⤵
  - Program crash
  PID:1988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 3312 -ip 3312
1⤵
PID:3700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 3360 -ip 3360
1⤵
PID:1576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 368 -s 6164
  2⤵
  - Program crash
  PID:4992

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 368 -ip 368
1⤵
PID:2168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4240 -s 7232
  2⤵
  - Program crash
  PID:4564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4760
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4760 -s 3588
  2⤵
  - Program crash
  PID:1312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 4760 -ip 4760
1⤵
- Enumerates connected drives
- Modifies registry class
PID:4796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 4240 -ip 4240
1⤵
PID:3316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4768 -s 7536
  2⤵
  - Program crash
  PID:1692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1552 -s 3904
  2⤵
  - Program crash
  PID:4916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1552 -ip 1552
1⤵
PID:4660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4768 -ip 4768
1⤵
PID:5088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1324
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1324 -s 4352
  2⤵
  - Program crash
  PID:1652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1876 -s 3556
  2⤵
  - Program crash
  PID:2540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 1876 -ip 1876
1⤵
PID:4084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1324 -ip 1324
1⤵
PID:740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4712 -s 5852
  2⤵
  - Program crash
  PID:4232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2604 -s 3584
  2⤵
  - Program crash
  PID:3160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2604 -ip 2604
1⤵
PID:4768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4712 -ip 4712
1⤵
PID:3780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2032 -s 5736
  2⤵
  - Program crash
  PID:2168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4948 -s 3592
  2⤵
  - Program crash
  PID:2536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4948 -ip 4948
1⤵
PID:1740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2032 -ip 2032
1⤵
PID:4296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
516581c13994c7610e9baf3be548909b

SHA1
21e0edb2993d6764cf5e292511089565ae3445f0

SHA256
a77ac4115bf539d2979d13b895b2a3e2a307fdaef7a8217ea0d3e630481b3d02

SHA512
2fe3dade9175f4481f6e9d003a3dd39e63f7789936032a7fda4750bc14cb57563712e1053992928414c3ce3618876e86d5f2b2650599e2e612e383b960ba6708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
b2f5d38a816de00e2c000ef3376ff82a

SHA1
4850cf15f3f56abdfb5649f2c7ad192ce28a69d3

SHA256
58427c7198025429e8a52f61761e0e30c1bdb2d84525b0b337d90fe76a3fcd2d

SHA512
e1bbc8ac2d9ea4b49b40864b2fed2cf80f0381b5576bf9ffd5ea62013d024b7d3587472efc5077d53c73c02d19892ed5c7c83eedd8736c536ef750938233ea90

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
memory/1384-153-0x000001CA99FE0000-0x000001CA9A000000-memory.dmp

Filesize
128KB

Download
memory/1384-156-0x000001CA9A6F0000-0x000001CA9A710000-memory.dmp

Filesize
128KB

Download
memory/1384-151-0x000001CA9A320000-0x000001CA9A340000-memory.dmp

Filesize
128KB

Download
memory/1416-296-0x000001DC8FF20000-0x000001DC8FF40000-memory.dmp

Filesize
128KB

Download
memory/1416-294-0x000001DC8FB20000-0x000001DC8FB40000-memory.dmp

Filesize
128KB

Download
memory/1416-292-0x000001DC8FB60000-0x000001DC8FB80000-memory.dmp

Filesize
128KB

Download
memory/1808-89-0x000002704ECC0000-0x000002704ECE0000-memory.dmp

Filesize
128KB

Download
memory/1808-85-0x000002704E6F0000-0x000002704E710000-memory.dmp

Filesize
128KB

Download
memory/1808-87-0x000002704E6B0000-0x000002704E6D0000-memory.dmp

Filesize
128KB

Download
memory/1812-262-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/1816-16-0x000002765F940000-0x000002765F960000-memory.dmp

Filesize
128KB

Download
memory/1816-14-0x000002765F980000-0x000002765F9A0000-memory.dmp

Filesize
128KB

Download
memory/1816-17-0x000002765FD50000-0x000002765FD70000-memory.dmp

Filesize
128KB

Download
memory/2512-110-0x0000014383290000-0x00000143832B0000-memory.dmp

Filesize
128KB

Download
memory/2512-108-0x00000143832D0000-0x00000143832F0000-memory.dmp

Filesize
128KB

Download
memory/2512-112-0x00000143838A0000-0x00000143838C0000-memory.dmp

Filesize
128KB

Download
memory/2984-67-0x00000244B4B90000-0x00000244B4BB0000-memory.dmp

Filesize
128KB

Download
memory/2984-61-0x00000244B47C0000-0x00000244B47E0000-memory.dmp

Filesize
128KB

Download
memory/2984-65-0x00000244B4780000-0x00000244B47A0000-memory.dmp

Filesize
128KB

Download
memory/3040-77-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/3052-273-0x00000228DC3F0000-0x00000228DC410000-memory.dmp

Filesize
128KB

Download
memory/3052-271-0x00000228DBDE0000-0x00000228DBE00000-memory.dmp

Filesize
128KB

Download
memory/3052-269-0x00000228DC020000-0x00000228DC040000-memory.dmp

Filesize
128KB

Download
memory/3304-284-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/3312-358-0x000001DB13310000-0x000001DB13330000-memory.dmp

Filesize
128KB

Download
memory/3312-360-0x000001DB132D0000-0x000001DB132F0000-memory.dmp

Filesize
128KB

Download
memory/3312-363-0x000001DB138E0000-0x000001DB13900000-memory.dmp

Filesize
128KB

Download
memory/3360-350-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/3376-215-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/3392-315-0x000002352CC00000-0x000002352CC20000-memory.dmp

Filesize
128KB

Download
memory/3392-318-0x000002352C9C0000-0x000002352C9E0000-memory.dmp

Filesize
128KB

Download
memory/3392-320-0x000002352CFD0000-0x000002352CFF0000-memory.dmp

Filesize
128KB

Download
memory/3456-226-0x0000026C681E0000-0x0000026C68200000-memory.dmp

Filesize
128KB

Download
memory/3456-222-0x0000026C67E20000-0x0000026C67E40000-memory.dmp

Filesize
128KB

Download
memory/3456-224-0x0000026C67BD0000-0x0000026C67BF0000-memory.dmp

Filesize
128KB

Download
memory/3700-167-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/3892-338-0x0000024BEFAC0000-0x0000024BEFAE0000-memory.dmp

Filesize
128KB

Download
memory/3892-340-0x0000024BEFA80000-0x0000024BEFAA0000-memory.dmp

Filesize
128KB

Download
memory/3892-343-0x0000024BEFE90000-0x0000024BEFEB0000-memory.dmp

Filesize
128KB

Download
memory/3904-330-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/3980-30-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3996-37-0x0000015614490000-0x00000156144B0000-memory.dmp

Filesize
128KB

Download
memory/3996-44-0x0000015614A60000-0x0000015614A80000-memory.dmp

Filesize
128KB

Download
memory/3996-40-0x0000015614450000-0x0000015614470000-memory.dmp

Filesize
128KB

Download
memory/4028-181-0x000001F03CD20000-0x000001F03CD40000-memory.dmp

Filesize
128KB

Download
memory/4028-178-0x000001F03C920000-0x000001F03C940000-memory.dmp

Filesize
128KB

Download
memory/4028-175-0x000001F03C960000-0x000001F03C980000-memory.dmp

Filesize
128KB

Download
memory/4176-100-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4240-8-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/4336-245-0x00000286AA470000-0x00000286AA490000-memory.dmp

Filesize
128KB

Download
memory/4336-251-0x00000286AA840000-0x00000286AA860000-memory.dmp

Filesize
128KB

Download
memory/4336-247-0x00000286AA430000-0x00000286AA450000-memory.dmp

Filesize
128KB

Download
memory/4576-237-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/4652-191-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/4696-307-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4796-53-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4880-143-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/4932-198-0x00000202C2B80000-0x00000202C2BA0000-memory.dmp

Filesize
128KB

Download
memory/4932-201-0x00000202C2B40000-0x00000202C2B60000-memory.dmp

Filesize
128KB

Download
memory/4932-205-0x00000202C2F50000-0x00000202C2F70000-memory.dmp

Filesize
128KB

Download
memory/5068-137-0x0000024BF1AD0000-0x0000024BF1AF0000-memory.dmp

Filesize
128KB

Download
memory/5068-134-0x0000024BF13C0000-0x0000024BF13E0000-memory.dmp

Filesize
128KB

Download
memory/5068-131-0x0000024BF1700000-0x0000024BF1720000-memory.dmp

Filesize
128KB

Download
memory/5088-124-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads