08768741e2e69ae3ccb14bdfc9b8244a3ba5a4a860faaf4d0d0c9706a654eadc

Analysis

max time kernel
18s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 10:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08768741e2e69ae3ccb14bdfc9b8244a3ba5a4a860faaf4d0d0c9706a654eadc.exe
Size

3.1MB
MD5

6b61375561793925b38319a3631c5444
SHA1

580936db0fb82529fef17cffe9ebe672e13e408f
SHA256

08768741e2e69ae3ccb14bdfc9b8244a3ba5a4a860faaf4d0d0c9706a654eadc
SHA512

7ef9d0e52ea805b6e0b6f0490c896ed80b9e571e1eaec3caa3ef0139aeaea73b65cb94c97b78c50e16008b52c00683335d6111742278a5e5f0641352a820dae5
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlSXo2+zZjyR:Q+8X9G3vP3AMkXozZjM

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found

Program crash 41 IoCs

pid	pid_target	Process	procid_target
2200	404	WerFault.exe	83
3248	2076	WerFault.exe	94
3980	2180	WerFault.exe	100
3520	3824	WerFault.exe	105
4656	2272	WerFault.exe	113
2956	4336	WerFault.exe	111
4228	3460	WerFault.exe	122
1376	4888	WerFault.exe	119
3024	916	WerFault.exe	130
4080	3180	WerFault.exe	128
4028	3852	WerFault.exe	136
900	4152	WerFault.exe	143
5080	4032	WerFault.exe	141
2928	452	WerFault.exe	149
2572	2804	WerFault.exe	156
4080	1940	WerFault.exe	154
2416	1896	WerFault.exe	164
3948	2928	WerFault.exe	162
2572	1680	WerFault.exe	170
2976	3520	WerFault.exe	177
3048	4068	WerFault.exe	175
900	3264	WerFault.exe	185
3020	3824	WerFault.exe	183
5004	3216	WerFault.exe	191
1300	4652	WerFault.exe	196
2772	452	WerFault.exe	203
5100	4744	WerFault.exe	201
3176	3404	WerFault.exe	211
1636	1416	WerFault.exe	209
2292	5108	WerFault.exe	217
220	4904	WerFault.exe	224
1040	3872	WerFault.exe	222
3220	2416	WerFault.exe	230
3464	1636	WerFault.exe	237
1144	3628	WerFault.exe	235
2688	4640	WerFault.exe	243
916	5080	WerFault.exe	245
3888	1040	WerFault.exe	253
4280	4040	WerFault.exe	251
3420	1724	WerFault.exe	261
3684	4036	WerFault.exe	259

Modifies registry class 32 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4176143399-3250363947-192774652-1000\{162FFA5C-96F3-425B-9565-582EAAAFABB2}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4176143399-3250363947-192774652-1000\{26641C67-B0BE-49CE-94F9-0D440DAAB385}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4176143399-3250363947-192774652-1000\{91BC4EBD-6E5B-4C2F-B757-27FCF15129B0}	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeCreatePagefilePrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4852	StartMenuExperienceHost.exe
448	StartMenuExperienceHost.exe
2624	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\08768741e2e69ae3ccb14bdfc9b8244a3ba5a4a860faaf4d0d0c9706a654eadc.exe
"C:\Users\Admin\AppData\Local\Temp\08768741e2e69ae3ccb14bdfc9b8244a3ba5a4a860faaf4d0d0c9706a654eadc.exe"
1⤵
PID:2632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:404
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 404 -s 6200
  2⤵
  - Program crash
  PID:2200

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 404 -ip 404
1⤵
PID:624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2076 -s 6120
  2⤵
  - Program crash
  PID:3248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2076 -ip 2076
1⤵
PID:4076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2180 -s 7296
  2⤵
  - Program crash
  PID:3980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3824 -s 3944
  2⤵
  - Program crash
  PID:3520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3824 -ip 3824
1⤵
PID:4964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2180 -ip 2180
1⤵
PID:3524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4336
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4336 -s 7520
  2⤵
  - Program crash
  PID:2956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2272 -s 3616
  2⤵
  - Program crash
  PID:4656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2272 -ip 2272
1⤵
PID:848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4336 -ip 4336
1⤵
PID:4328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4888 -s 7404
  2⤵
  - Program crash
  PID:1376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3460 -s 3612
  2⤵
  - Program crash
  PID:4228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3460 -ip 3460
1⤵
PID:3636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4888 -ip 4888
1⤵
PID:4028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3180 -s 7332
  2⤵
  - Program crash
  PID:4080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 916 -s 3584
  2⤵
  - Program crash
  PID:3024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 916 -ip 916
1⤵
PID:4032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3180 -ip 3180
1⤵
PID:3580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3852
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3852 -s 4736
  2⤵
  - Program crash
  PID:4028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3852 -ip 3852
1⤵
PID:3948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4032 -s 7492
  2⤵
  - Program crash
  PID:5080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4152 -s 3584
  2⤵
  - Program crash
  PID:900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4152 -ip 4152
1⤵
PID:4004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4032 -ip 4032
1⤵
PID:1932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:452
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 452 -s 6076
  2⤵
  - Program crash
  PID:2928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 452 -ip 452
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1940
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1940 -s 7420
  2⤵
  - Program crash
  PID:4080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2804
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2804 -s 3608
  2⤵
  - Program crash
  PID:2572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2804 -ip 2804
1⤵
PID:3660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 1940 -ip 1940
1⤵
PID:4980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2928 -s 7572
  2⤵
  - Program crash
  PID:3948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1896 -s 3572
  2⤵
  - Program crash
  PID:2416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 1896 -ip 1896
1⤵
PID:4324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2928 -ip 2928
1⤵
PID:2220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1680 -s 6192
  2⤵
  - Program crash
  PID:2572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1680 -ip 1680
1⤵
PID:2712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4068 -s 5880
  2⤵
  - Program crash
  PID:3048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3520 -s 3540
  2⤵
  - Program crash
  PID:2976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3520 -ip 3520
1⤵
PID:4396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4068 -ip 4068
1⤵
PID:1240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3824 -s 7532
  2⤵
  - Program crash
  PID:3020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3264
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3264 -s 3576
  2⤵
  - Program crash
  PID:900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3264 -ip 3264
1⤵
PID:3612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3824 -ip 3824
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3216 -s 6204
  2⤵
  - Program crash
  PID:5004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3216 -ip 3216
1⤵
PID:2932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4652 -s 4776
  2⤵
  - Program crash
  PID:1300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4652 -ip 4652
1⤵
PID:1912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4744 -s 7324
  2⤵
  - Program crash
  PID:5100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:452
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 452 -s 3584
  2⤵
  - Program crash
  PID:2772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 452 -ip 452
1⤵
PID:4324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 4744 -ip 4744
1⤵
PID:2960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1416 -s 7412
  2⤵
  - Program crash
  PID:1636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3404
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3404 -s 3588
  2⤵
  - Program crash
  PID:3176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3404 -ip 3404
1⤵
PID:3880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1416 -ip 1416
1⤵
PID:3512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5108 -s 6084
  2⤵
  - Program crash
  PID:2292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 5108 -ip 5108
1⤵
PID:364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3872 -s 7220
  2⤵
  - Program crash
  PID:1040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4904 -s 3560
  2⤵
  - Program crash
  PID:220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4904 -ip 4904
1⤵
PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3872 -ip 3872
1⤵
PID:2976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2416 -s 5960
  2⤵
  - Program crash
  PID:3220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 2416 -ip 2416
1⤵
PID:4348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3628
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3628 -s 6056
  2⤵
  - Program crash
  PID:1144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1636
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1636 -s 3544
  2⤵
  - Program crash
  PID:3464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1636 -ip 1636
1⤵
PID:1168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 3628 -ip 3628
1⤵
PID:3172

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4640 -s 7564
  2⤵
  - Program crash
  PID:2688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5080 -s 3548
  2⤵
  - Program crash
  PID:916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 5080 -ip 5080
1⤵
PID:2272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4640 -ip 4640
1⤵
PID:3172

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4040 -s 7372
  2⤵
  - Program crash
  PID:4280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:244

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1040 -s 3616
  2⤵
  - Program crash
  PID:3888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1040 -ip 1040
1⤵
PID:3652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 4040 -ip 4040
1⤵
PID:4952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4036 -s 4976
  2⤵
  - Program crash
  PID:3684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1724 -s 3560
  2⤵
  - Program crash
  PID:3420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 1724 -ip 1724
1⤵
PID:452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4036 -ip 4036
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
af5a8d4c269f24b03b8f67a9e12bd794

SHA1
14f868109a220fd221bda78d3ef22295b40ccbb1

SHA256
8ff8ca05a08b79e99a170760e8dbee4a650b4c6edc04a8da2d23b21507266152

SHA512
80ca0a7b0f1042771afe25fcf90d626c50fe9eee16341c63fe65878dfc56ae55b871d4158b06dec540d2eecf66163e65bc48ebf4f9c394407c3556c5b80b1e17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
1101335a5969d99f6e3eb8b9f1ca047b

SHA1
5e4c8266a6ef8082ac7d05cf3aef95a59de197cb

SHA256
41cf96fddef2d3bb111a3142fe508f0510e7c9a999286e7303b720b8bfa983a7

SHA512
28e12bacde7a197c3d54d5ac2bcfbe3c8756b26ff14c6af56ecc6682d053a99a83a99e8471ad31ef8ebc6c3a18c64158cd0a7f8f8d0453930f5ab1761d450ecb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
memory/452-229-0x00000265FA300000-0x00000265FA320000-memory.dmp

Filesize
128KB

Download
memory/452-232-0x00000265FA7A0000-0x00000265FA7C0000-memory.dmp

Filesize
128KB

Download
memory/452-227-0x00000265FA340000-0x00000265FA360000-memory.dmp

Filesize
128KB

Download
memory/916-84-0x000001CB6D670000-0x000001CB6D690000-memory.dmp

Filesize
128KB

Download
memory/916-87-0x000001CB6D630000-0x000001CB6D650000-memory.dmp

Filesize
128KB

Download
memory/916-89-0x000001CB6DA40000-0x000001CB6DA60000-memory.dmp

Filesize
128KB

Download
memory/1040-344-0x000002839A460000-0x000002839A480000-memory.dmp

Filesize
128KB

Download
memory/1040-346-0x000002839AB00000-0x000002839AB20000-memory.dmp

Filesize
128KB

Download
memory/1040-342-0x000002839A4A0000-0x000002839A4C0000-memory.dmp

Filesize
128KB

Download
memory/1416-242-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/1636-298-0x0000022B072E0000-0x0000022B07300000-memory.dmp

Filesize
128KB

Download
memory/1636-300-0x0000022B072A0000-0x0000022B072C0000-memory.dmp

Filesize
128KB

Download
memory/1636-304-0x0000022B07940000-0x0000022B07960000-memory.dmp

Filesize
128KB

Download
memory/1724-365-0x000001803EFE0000-0x000001803F000000-memory.dmp

Filesize
128KB

Download
memory/1724-369-0x000001803EFA0000-0x000001803EFC0000-memory.dmp

Filesize
128KB

Download
memory/1724-372-0x000001803F6B0000-0x000001803F6D0000-memory.dmp

Filesize
128KB

Download
memory/1896-155-0x000001CCC2770000-0x000001CCC2790000-memory.dmp

Filesize
128KB

Download
memory/1896-158-0x000001CCC2730000-0x000001CCC2750000-memory.dmp

Filesize
128KB

Download
memory/1896-161-0x000001CCC2B50000-0x000001CCC2B70000-memory.dmp

Filesize
128KB

Download
memory/1940-124-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2180-9-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2272-40-0x000001DCF2E00000-0x000001DCF2E20000-memory.dmp

Filesize
128KB

Download
memory/2272-38-0x000001DCF2E40000-0x000001DCF2E60000-memory.dmp

Filesize
128KB

Download
memory/2272-42-0x000001DCF3280000-0x000001DCF32A0000-memory.dmp

Filesize
128KB

Download
memory/2804-134-0x000001B3C2B90000-0x000001B3C2BB0000-memory.dmp

Filesize
128KB

Download
memory/2804-136-0x000001B3C3030000-0x000001B3C3050000-memory.dmp

Filesize
128KB

Download
memory/2804-132-0x000001B3C2BD0000-0x000001B3C2BF0000-memory.dmp

Filesize
128KB

Download
memory/2928-147-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3180-76-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3264-209-0x00000213B4180000-0x00000213B41A0000-memory.dmp

Filesize
128KB

Download
memory/3264-206-0x00000213B3D70000-0x00000213B3D90000-memory.dmp

Filesize
128KB

Download
memory/3264-202-0x00000213B3DB0000-0x00000213B3DD0000-memory.dmp

Filesize
128KB

Download
memory/3404-255-0x000001A4A5BC0000-0x000001A4A5BE0000-memory.dmp

Filesize
128KB

Download
memory/3404-250-0x000001A4A5760000-0x000001A4A5780000-memory.dmp

Filesize
128KB

Download
memory/3404-253-0x000001A4A5720000-0x000001A4A5740000-memory.dmp

Filesize
128KB

Download
memory/3460-64-0x000001E78EB20000-0x000001E78EB40000-memory.dmp

Filesize
128KB

Download
memory/3460-61-0x000001E78EB60000-0x000001E78EB80000-memory.dmp

Filesize
128KB

Download
memory/3460-67-0x000001E78EF40000-0x000001E78EF60000-memory.dmp

Filesize
128KB

Download
memory/3520-184-0x0000020AFE3C0000-0x0000020AFE3E0000-memory.dmp

Filesize
128KB

Download
memory/3520-179-0x0000020AFDF60000-0x0000020AFDF80000-memory.dmp

Filesize
128KB

Download
memory/3520-182-0x0000020AFDF20000-0x0000020AFDF40000-memory.dmp

Filesize
128KB

Download
memory/3628-290-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3824-15-0x000002126A380000-0x000002126A3A0000-memory.dmp

Filesize
128KB

Download
memory/3824-17-0x000002126A340000-0x000002126A360000-memory.dmp

Filesize
128KB

Download
memory/3824-21-0x000002126A950000-0x000002126A970000-memory.dmp

Filesize
128KB

Download
memory/3824-194-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3872-266-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4032-100-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/4036-357-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/4040-334-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/4068-172-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/4152-113-0x000002DE5C510000-0x000002DE5C530000-memory.dmp

Filesize
128KB

Download
memory/4152-108-0x000002DE5BEB0000-0x000002DE5BED0000-memory.dmp

Filesize
128KB

Download
memory/4152-110-0x000002DE5BE70000-0x000002DE5BE90000-memory.dmp

Filesize
128KB

Download
memory/4336-30-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4640-310-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/4744-219-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/4888-54-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/4904-280-0x000001F565200000-0x000001F565220000-memory.dmp

Filesize
128KB

Download
memory/4904-277-0x000001F564E00000-0x000001F564E20000-memory.dmp

Filesize
128KB

Download
memory/4904-274-0x000001F564E40000-0x000001F564E60000-memory.dmp

Filesize
128KB

Download
memory/5080-325-0x00000200D89D0000-0x00000200D89F0000-memory.dmp

Filesize
128KB

Download
memory/5080-321-0x00000200D83C0000-0x00000200D83E0000-memory.dmp

Filesize
128KB

Download
memory/5080-318-0x00000200D8600000-0x00000200D8620000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads