322b98e17f283dc1b3fdd10fc4e195f9022567135b6b19d27df40a898cf3c500

Analysis

max time kernel
28s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 11:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

322b98e17f283dc1b3fdd10fc4e195f9022567135b6b19d27df40a898cf3c500.exe
Size

3.3MB
MD5

f0bcedf8ae12aa3081459c2cbf4e0b03
SHA1

162cdccfbff2125c068418e597f1b2c9c9fef823
SHA256

322b98e17f283dc1b3fdd10fc4e195f9022567135b6b19d27df40a898cf3c500
SHA512

6f829e3c943b1c4aaf933055197211c4da69fc60564666be697de164922646a4c7036aeb89ffe886c2fc022d37305e81137996b63b4d3a489d90439a428aee6e
SSDEEP

49152:H7TvfU+8X9GrNOsva5RbKhF3ANkTTlUzVNAWTqfS4oZu7CsOdE:c+8X9G3vP3AMyRTqboZNM

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 51 IoCs

pid	pid_target	Process	procid_target
1592	1444	WerFault.exe	87
3304	856	WerFault.exe	96
1724	1260	WerFault.exe	105
3564	3548	WerFault.exe	103
4840	4944	WerFault.exe	111
4988	1824	WerFault.exe	119
3352	3404	WerFault.exe	117
2928	3708	WerFault.exe	127
4880	3652	WerFault.exe	125
3404	3352	WerFault.exe	134
2956	3800	WerFault.exe	141
3616	4628	WerFault.exe	139
3056	3816	WerFault.exe	149
5032	1244	WerFault.exe	147
3852	3508	WerFault.exe	155
4748	4928	WerFault.exe	162
2952	3732	WerFault.exe	160
4912	4240	WerFault.exe	170
3244	3700	WerFault.exe	168
1472	2016	WerFault.exe	178
4052	2020	WerFault.exe	176
3568	3304	WerFault.exe	184
3120	4636	WerFault.exe	191
3240	4300	WerFault.exe	189
4972	3272	WerFault.exe	199
1188	2068	WerFault.exe	197
1052	1632	WerFault.exe	207
2956	4464	WerFault.exe	205
548	3544	WerFault.exe	215
3836	2788	WerFault.exe	213
3700	1396	WerFault.exe	223
2776	492	WerFault.exe	221
3380	4872	WerFault.exe	229
3596	3928	WerFault.exe	236
764	3032	WerFault.exe	234
4808	2924	WerFault.exe	244
652	1844	WerFault.exe	242
3420	4148	WerFault.exe	250
4216	4588	WerFault.exe	257
4828	872	WerFault.exe	255
2504	4292	WerFault.exe	263
4040	1332	WerFault.exe	270
224	1796	WerFault.exe	268
3360	4188	WerFault.exe	278
3712	2152	WerFault.exe	276
368	3848	WerFault.exe	284
1588	1548	WerFault.exe	291
2504	1632	WerFault.exe	289
2364	2592	WerFault.exe	297
3296	3720	WerFault.exe	304
3244	3200	WerFault.exe	302

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{2CACE24C-538A-4355-A148-ADB7044E5F38}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{9326BFA7-73E9-4898-9864-78B83343650B}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{F70BB011-F64F-4943-94D4-13D176792A15}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{AEB8ABAB-6AEA-49BB-8FC6-5AEBE6C1D59A}	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{14436AB6-200F-499E-AD2A-CB85D912EC7A}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeCreatePagefilePrivilege	856	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe
Token: SeShutdownPrivilege	3548	explorer.exe
Token: SeCreatePagefilePrivilege	3548	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
3548	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4332	StartMenuExperienceHost.exe
4656	StartMenuExperienceHost.exe
1748	StartMenuExperienceHost.exe
1260	SearchApp.exe
3236	StartMenuExperienceHost.exe
652	WerFault.exe
1824	SearchApp.exe
4252	WerFault.exe
3708	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\322b98e17f283dc1b3fdd10fc4e195f9022567135b6b19d27df40a898cf3c500.exe
"C:\Users\Admin\AppData\Local\Temp\322b98e17f283dc1b3fdd10fc4e195f9022567135b6b19d27df40a898cf3c500.exe"
1⤵
PID:1296

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1444 -s 6244
  2⤵
  - Program crash
  PID:1592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 1444 -ip 1444
1⤵
PID:2204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:856
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 856 -s 6068
  2⤵
  - Program crash
  PID:3304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 856 -ip 856
1⤵
PID:3564

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3548 -s 4644
  2⤵
  - Program crash
  PID:3564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1260 -s 3836
  2⤵
  - Program crash
  PID:1724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1260 -ip 1260
1⤵
PID:4140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3548 -ip 3548
1⤵
PID:4624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4944 -s 5972
  2⤵
  - Program crash
  PID:4840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4944 -ip 4944
1⤵
PID:1784

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3404
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3404 -s 7432
  2⤵
  - Program crash
  PID:3352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1824 -s 3588
  2⤵
  - Program crash
  PID:4988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1824 -ip 1824
1⤵
PID:3320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 3404 -ip 3404
1⤵
PID:4044

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:3652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3652 -s 7584
  2⤵
  - Program crash
  PID:4880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3708 -s 3564
  2⤵
  - Program crash
  PID:2928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3708 -ip 3708
1⤵
PID:920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3652 -ip 3652
1⤵
PID:2204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3352 -s 3768
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Program crash
  - Modifies registry class
  - Suspicious use of SendNotifyMessage
  PID:3404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3352 -ip 3352
1⤵
PID:3924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4628
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4628 -s 2356
  2⤵
  - Program crash
  PID:3616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3800 -s 3604
  2⤵
  - Program crash
  PID:2956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3800 -ip 3800
1⤵
PID:4224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4628 -ip 4628
1⤵
PID:3632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1244
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1244 -s 3704
  2⤵
  - Program crash
  PID:5032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3816 -s 3568
  2⤵
  - Program crash
  PID:3056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3816 -ip 3816
1⤵
PID:4256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1244 -ip 1244
1⤵
PID:3800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3508
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3508 -s 6004
  2⤵
  - Program crash
  PID:3852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3508 -ip 3508
1⤵
PID:2164

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3732 -s 6256
  2⤵
  - Program crash
  PID:2952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4928 -s 3512
  2⤵
  - Program crash
  PID:4748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4928 -ip 4928
1⤵
PID:3444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3732 -ip 3732
1⤵
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3700 -s 7392
  2⤵
  - Program crash
  PID:3244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4240 -s 3576
  2⤵
  - Program crash
  PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 4240 -ip 4240
1⤵
PID:4848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 676 -p 3700 -ip 3700
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2020 -s 7456
  2⤵
  - Program crash
  PID:4052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2016
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2016 -s 3572
  2⤵
  - Program crash
  PID:1472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 684 -p 2016 -ip 2016
1⤵
PID:3856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2020 -ip 2020
1⤵
PID:212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 5924
  2⤵
  - Program crash
  PID:3568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 684 -p 3304 -ip 3304
1⤵
PID:392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4300
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4300 -s 7384
  2⤵
  - Program crash
  PID:3240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4636
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4636 -s 3568
  2⤵
  - Program crash
  PID:3120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 720 -p 4636 -ip 4636
1⤵
PID:4428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 684 -p 4300 -ip 4300
1⤵
PID:5068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2068 -s 7428
  2⤵
  - Program crash
  PID:1188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3244

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3272 -s 3528
  2⤵
  - Program crash
  PID:4972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 3272 -ip 3272
1⤵
PID:3556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2068 -ip 2068
1⤵
PID:4412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4464 -s 5828
  2⤵
  - Program crash
  PID:2956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1632 -s 3556
  2⤵
  - Program crash
  PID:1052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 1632 -ip 1632
1⤵
PID:2648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4464 -ip 4464
1⤵
PID:2196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2788 -s 5816
  2⤵
  - Program crash
  PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3544 -s 3552
  2⤵
  - Program crash
  PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3544 -ip 3544
1⤵
PID:4056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2788 -ip 2788
1⤵
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 492 -s 7436
  2⤵
  - Program crash
  PID:2776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1396 -s 3580
  2⤵
  - Program crash
  PID:3700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 1396 -ip 1396
1⤵
PID:3508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 492 -ip 492
1⤵
PID:5064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4872 -s 6056
  2⤵
  - Program crash
  PID:3380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4872 -ip 4872
1⤵
PID:3156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3032 -s 7320
  2⤵
  - Program crash
  PID:764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2380

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3928 -s 3604
  2⤵
  - Program crash
  PID:3596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3928 -ip 3928
1⤵
PID:3732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3032 -ip 3032
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1844 -s 7428
  2⤵
  - Program crash
  - Suspicious use of SetWindowsHookEx
  PID:652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2924
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2924 -s 3548
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2924 -ip 2924
1⤵
PID:880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 1844 -ip 1844
1⤵
PID:4212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4148 -s 6104
  2⤵
  - Program crash
  PID:3420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 4148 -ip 4148
1⤵
PID:4976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 872 -s 7332
  2⤵
  - Program crash
  PID:4828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4588
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4588 -s 3588
  2⤵
  - Program crash
  PID:4216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4588 -ip 4588
1⤵
PID:2700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 872 -ip 872
1⤵
PID:3940

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4292
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4292 -s 6072
  2⤵
  - Program crash
  PID:2504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4292 -ip 4292
1⤵
PID:1004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1796 -s 1880
  2⤵
  - Program crash
  PID:224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1332 -s 3568
  2⤵
  - Program crash
  PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 1332 -ip 1332
1⤵
PID:2180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 1796 -ip 1796
1⤵
PID:2784

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2152 -s 5980
  2⤵
  - Program crash
  PID:3712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4188
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4188 -s 3868
  2⤵
  - Program crash
  PID:3360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 4188 -ip 4188
1⤵
PID:3704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2152 -ip 2152
1⤵
PID:3436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3848 -s 5732
  2⤵
  - Program crash
  PID:368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3848 -ip 3848
1⤵
PID:396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1632 -s 7228
  2⤵
  - Program crash
  PID:2504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1548 -s 3512
  2⤵
  - Program crash
  PID:1588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 1548 -ip 1548
1⤵
PID:3840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1632 -ip 1632
1⤵
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2592
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2592 -s 5952
  2⤵
  - Program crash
  PID:2364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2592 -ip 2592
1⤵
PID:2784

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3200
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3200 -s 7460
  2⤵
  - Program crash
  PID:3244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3720
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3720 -s 3588
  2⤵
  - Program crash
  PID:3296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 3720 -ip 3720
1⤵
PID:2788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3200 -ip 3200
1⤵
PID:3456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
516581c13994c7610e9baf3be548909b

SHA1
21e0edb2993d6764cf5e292511089565ae3445f0

SHA256
a77ac4115bf539d2979d13b895b2a3e2a307fdaef7a8217ea0d3e630481b3d02

SHA512
2fe3dade9175f4481f6e9d003a3dd39e63f7789936032a7fda4750bc14cb57563712e1053992928414c3ce3618876e86d5f2b2650599e2e612e383b960ba6708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
1634b22dbd71a23f64013c29f8a02757

SHA1
7c75bdbf4df7e6b6f3f33c23003ba0dcc17182d0

SHA256
7a08e84aa0cf47b430657ed61866ebdaf18174d8ba65579d823550a9313baf4d

SHA512
35e0ad2b8ba07316d96b755ce984b5d469ac327c1f77b412d53807b24313eed684a0966b5c8fb72b286eb958398842d2e385eb99a94d860b529a672362b3094f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
memory/492-279-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/872-345-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/1244-98-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/1260-20-0x00000296039F0000-0x0000029603A10000-memory.dmp

Filesize
128KB

Download
memory/1260-17-0x00000296033E0000-0x0000029603400000-memory.dmp

Filesize
128KB

Download
memory/1260-15-0x0000029603620000-0x0000029603640000-memory.dmp

Filesize
128KB

Download
memory/1396-287-0x0000011BB8E20000-0x0000011BB8E40000-memory.dmp

Filesize
128KB

Download
memory/1396-289-0x0000011BB8BE0000-0x0000011BB8C00000-memory.dmp

Filesize
128KB

Download
memory/1396-291-0x0000011BB91F0000-0x0000011BB9210000-memory.dmp

Filesize
128KB

Download
memory/1632-244-0x000001C7E21F0000-0x000001C7E2210000-memory.dmp

Filesize
128KB

Download
memory/1632-240-0x000001C7E1E20000-0x000001C7E1E40000-memory.dmp

Filesize
128KB

Download
memory/1632-242-0x000001C7E1BE0000-0x000001C7E1C00000-memory.dmp

Filesize
128KB

Download
memory/1824-38-0x0000017706640000-0x0000017706660000-memory.dmp

Filesize
128KB

Download
memory/1824-40-0x0000017706C50000-0x0000017706C70000-memory.dmp

Filesize
128KB

Download
memory/1824-36-0x0000017706680000-0x00000177066A0000-memory.dmp

Filesize
128KB

Download
memory/1844-327-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2016-177-0x000002A99CE20000-0x000002A99CE40000-memory.dmp

Filesize
128KB

Download
memory/2016-173-0x000002A99CA60000-0x000002A99CA80000-memory.dmp

Filesize
128KB

Download
memory/2016-175-0x000002A99CA20000-0x000002A99CA40000-memory.dmp

Filesize
128KB

Download
memory/2020-165-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/2068-212-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2788-256-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2924-342-0x000001EB575E0000-0x000001EB57600000-memory.dmp

Filesize
128KB

Download
memory/2924-339-0x000001EB571D0000-0x000001EB571F0000-memory.dmp

Filesize
128KB

Download
memory/2924-335-0x000001EB57210000-0x000001EB57230000-memory.dmp

Filesize
128KB

Download
memory/3032-303-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/3272-220-0x000001D1E9570000-0x000001D1E9590000-memory.dmp

Filesize
128KB

Download
memory/3272-222-0x000001D1E9530000-0x000001D1E9550000-memory.dmp

Filesize
128KB

Download
memory/3272-224-0x000001D1E9940000-0x000001D1E9960000-memory.dmp

Filesize
128KB

Download
memory/3404-28-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3544-268-0x0000023B42810000-0x0000023B42830000-memory.dmp

Filesize
128KB

Download
memory/3544-266-0x0000023B42400000-0x0000023B42420000-memory.dmp

Filesize
128KB

Download
memory/3544-264-0x0000023B42440000-0x0000023B42460000-memory.dmp

Filesize
128KB

Download
memory/3548-8-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3652-51-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/3700-142-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/3708-64-0x00000215968C0000-0x00000215968E0000-memory.dmp

Filesize
128KB

Download
memory/3708-59-0x00000215962F0000-0x0000021596310000-memory.dmp

Filesize
128KB

Download
memory/3708-62-0x00000215962B0000-0x00000215962D0000-memory.dmp

Filesize
128KB

Download
memory/3732-119-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/3800-83-0x000001CBB89B0000-0x000001CBB89D0000-memory.dmp

Filesize
128KB

Download
memory/3800-85-0x000001CBB8970000-0x000001CBB8990000-memory.dmp

Filesize
128KB

Download
memory/3800-87-0x000001CBB8D80000-0x000001CBB8DA0000-memory.dmp

Filesize
128KB

Download
memory/3816-109-0x0000023F4BF20000-0x0000023F4BF40000-memory.dmp

Filesize
128KB

Download
memory/3816-112-0x0000023F4C320000-0x0000023F4C340000-memory.dmp

Filesize
128KB

Download
memory/3816-106-0x0000023F4BF60000-0x0000023F4BF80000-memory.dmp

Filesize
128KB

Download
memory/3928-311-0x000002A4CFE20000-0x000002A4CFE40000-memory.dmp

Filesize
128KB

Download
memory/3928-313-0x000002A4CFBE0000-0x000002A4CFC00000-memory.dmp

Filesize
128KB

Download
memory/3928-315-0x000002A4D01F0000-0x000002A4D0210000-memory.dmp

Filesize
128KB

Download
memory/4240-154-0x0000022892CE0000-0x0000022892D00000-memory.dmp

Filesize
128KB

Download
memory/4240-150-0x0000022892700000-0x0000022892720000-memory.dmp

Filesize
128KB

Download
memory/4240-152-0x00000228926C0000-0x00000228926E0000-memory.dmp

Filesize
128KB

Download
memory/4300-189-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/4464-232-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/4588-354-0x000002F95CE80000-0x000002F95CEA0000-memory.dmp

Filesize
128KB

Download
memory/4588-352-0x000002F95CEC0000-0x000002F95CEE0000-memory.dmp

Filesize
128KB

Download
memory/4588-356-0x000002F95D290000-0x000002F95D2B0000-memory.dmp

Filesize
128KB

Download
memory/4628-75-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4636-201-0x000001B27C080000-0x000001B27C0A0000-memory.dmp

Filesize
128KB

Download
memory/4636-197-0x000001B27BAB0000-0x000001B27BAD0000-memory.dmp

Filesize
128KB

Download
memory/4636-199-0x000001B27BA70000-0x000001B27BA90000-memory.dmp

Filesize
128KB

Download
memory/4928-132-0x000001AEF5380000-0x000001AEF53A0000-memory.dmp

Filesize
128KB

Download
memory/4928-129-0x000001AEF4F70000-0x000001AEF4F90000-memory.dmp

Filesize
128KB

Download
memory/4928-127-0x000001AEF4FB0000-0x000001AEF4FD0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads