da4839e46a0d094afecb77baea3d773b285fbec2b234010e4d67e1586b929269

Analysis

max time kernel
34s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 13:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da4839e46a0d094afecb77baea3d773b285fbec2b234010e4d67e1586b929269.exe
Size

3.5MB
MD5

311c36eb5549b5a4f1d4dfdbb3694169
SHA1

aeafbfd3196fb0b3c51266592a6adc6280143956
SHA256

da4839e46a0d094afecb77baea3d773b285fbec2b234010e4d67e1586b929269
SHA512

d1c0a7ed9befd5b682ab7795d62be3df9e00985ac3037cbf8ea6c7d55c88da64efe2cdd297d7b9a75f6c7e05967a3e4f3be0975437691ba3058da724caebe7c8
SSDEEP

49152:H7TvfU+8X9GrNOsva5RbKhF3ANkTTl1o2X2F/DYnarhGwdmR0z:c+8X9G3vP3AMjo4o/DRrh9dqs

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 46 IoCs

pid	pid_target	Process	procid_target
4620	2904	WerFault.exe	82
1604	3768	WerFault.exe	89
436	1724	WerFault.exe	97
4984	1736	WerFault.exe	95
3416	3468	WerFault.exe	110
3976	776	WerFault.exe	108
1912	4624	WerFault.exe	120
4972	4780	WerFault.exe	127
4084	4120	WerFault.exe	125
4300	4028	WerFault.exe	135
4616	3368	WerFault.exe	133
1384	3624	WerFault.exe	141
4860	2660	WerFault.exe	148
4892	3816	WerFault.exe	146
3524	4520	WerFault.exe	154
2728	4132	WerFault.exe	161
3224	2764	WerFault.exe	159
3860	3052	WerFault.exe	169
4700	3248	WerFault.exe	167
2288	780	WerFault.exe	177
1944	1488	WerFault.exe	175
3144	4376	WerFault.exe	185
1968	3952	WerFault.exe	183
2816	3128	WerFault.exe	191
1240	4948	WerFault.exe	198
3436	4084	WerFault.exe	196
2904	4852	WerFault.exe	204
1632	4044	WerFault.exe	211
3304	3252	WerFault.exe	209
1912	3044	WerFault.exe	217
4348	4984	WerFault.exe	224
4404	4848	WerFault.exe	222
3804	2288	WerFault.exe	230
2168	2648	WerFault.exe	237
3432	3396	WerFault.exe	235
1676	2212	WerFault.exe	245
2168	1912	WerFault.exe	243
4984	208	WerFault.exe	251
2624	1856	WerFault.exe	258
4316	4904	WerFault.exe	256
3312	1356	WerFault.exe	266
4460	3592	WerFault.exe	264
2196	4580	WerFault.exe	273
956	2724	WerFault.exe	272
4568	1516	WerFault.exe	278
3416	2840	WerFault.exe	287

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{1414A6BA-AF84-402D-B782-5B674D45A3EE}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{DFE1E28E-C406-44D8-A8CA-6D152CD08CFA}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{1F1AB315-A4E1-44AD-B7E7-83C7F4B84EB1}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	WerFault.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	WerFault.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{4F84B7C7-0662-43B2-BDF7-3EF8D1FCAC0B}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	WerFault.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{97BFBA29-7503-481B-9E99-243C141DEA13}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	3768	explorer.exe
Token: SeCreatePagefilePrivilege	3768	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found
776	Process not Found

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1208	StartMenuExperienceHost.exe
5004	StartMenuExperienceHost.exe
3824	StartMenuExperienceHost.exe
1724	Process not Found
3468	WerFault.exe
4296	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\da4839e46a0d094afecb77baea3d773b285fbec2b234010e4d67e1586b929269.exe
"C:\Users\Admin\AppData\Local\Temp\da4839e46a0d094afecb77baea3d773b285fbec2b234010e4d67e1586b929269.exe"
1⤵
PID:4276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2904 -s 6312
  2⤵
  - Program crash
  PID:4620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 2904 -ip 2904
1⤵
PID:4444

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3768 -s 5956
  2⤵
  - Program crash
  PID:1604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 3768 -ip 3768
1⤵
PID:1460

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1736 -s 7428
  2⤵
  - Program crash
  PID:4984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1724 -s 3744
  2⤵
  - Program crash
  PID:436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 1724 -ip 1724
1⤵
PID:524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1736 -ip 1736
1⤵
PID:4460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 776 -s 5900
  2⤵
  - Program crash
  PID:3976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:2652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3468
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3468 -s 3576
  2⤵
  - Program crash
  PID:3416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3468 -ip 3468
1⤵
PID:1800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 776 -ip 776
1⤵
PID:1632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:4624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4624 -s 6076
  2⤵
  - Program crash
  PID:1912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4624 -ip 4624
1⤵
PID:1672

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:4120
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4120 -s 7588
  2⤵
  - Program crash
  PID:4084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4780
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4780 -s 2892
  2⤵
  - Program crash
  PID:4972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4780 -ip 4780
1⤵
PID:3372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4120 -ip 4120
1⤵
PID:2288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3368 -s 6088
  2⤵
  - Program crash
  PID:4616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4028 -s 3528
  2⤵
  - Program crash
  PID:4300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4028 -ip 4028
1⤵
PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3368 -ip 3368
1⤵
PID:4376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3624 -s 5972
  2⤵
  - Program crash
  PID:1384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3624 -ip 3624
1⤵
PID:3604

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3816 -s 6008
  2⤵
  - Program crash
  PID:4892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2660 -s 3564
  2⤵
  - Program crash
  PID:4860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 2660 -ip 2660
1⤵
PID:3768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3816 -ip 3816
1⤵
PID:2208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4520 -s 5920
  2⤵
  - Program crash
  PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 4520 -ip 4520
1⤵
PID:4840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2764 -s 5340
  2⤵
  - Program crash
  PID:3224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4132 -s 3592
  2⤵
  - Program crash
  PID:2728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4132 -ip 4132
1⤵
PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2764 -ip 2764
1⤵
PID:3524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3248 -s 3836
  2⤵
  - Program crash
  PID:4700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3052 -s 3576
  2⤵
  - Program crash
  PID:3860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3052 -ip 3052
1⤵
PID:3628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3248 -ip 3248
1⤵
PID:536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1488
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1488 -s 6016
  2⤵
  - Program crash
  PID:1944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:780
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 780 -s 3556
  2⤵
  - Program crash
  PID:2288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 780 -ip 780
1⤵
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1488 -ip 1488
1⤵
PID:928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3952 -s 6108
  2⤵
  - Program crash
  PID:1968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4376 -s 3592
  2⤵
  - Program crash
  PID:3144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4376 -ip 4376
1⤵
PID:4336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3952 -ip 3952
1⤵
PID:1408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3128
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3128 -s 5940
  2⤵
  - Program crash
  PID:2816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3128 -ip 3128
1⤵
PID:3480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4084 -s 5808
  2⤵
  - Program crash
  PID:3436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4948 -s 3536
  2⤵
  - Program crash
  PID:1240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4948 -ip 4948
1⤵
PID:4684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4084 -ip 4084
1⤵
PID:3804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4852
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4852 -s 5948
  2⤵
  - Program crash
  PID:2904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 4852 -ip 4852
1⤵
PID:3948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3252 -s 6044
  2⤵
  - Program crash
  PID:3304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4044 -s 3608
  2⤵
  - Program crash
  PID:1632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4044 -ip 4044
1⤵
PID:2660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3252 -ip 3252
1⤵
PID:3048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3044 -s 6028
  2⤵
  - Program crash
  PID:1912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 3044 -ip 3044
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4848 -s 7412
  2⤵
  - Program crash
  PID:4404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4984 -s 3596
  2⤵
  - Program crash
  PID:4348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4984 -ip 4984
1⤵
PID:4056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4848 -ip 4848
1⤵
PID:5108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2288
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2288 -s 5776
  2⤵
  - Program crash
  PID:3804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2288 -ip 2288
1⤵
PID:2652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3396 -s 5888
  2⤵
  - Program crash
  PID:3432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2648
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2648 -s 3580
  2⤵
  - Program crash
  PID:2168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 2648 -ip 2648
1⤵
PID:4628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3396 -ip 3396
1⤵
PID:3912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1912
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1912 -s 7392
  2⤵
  - Program crash
  PID:2168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2212
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2212 -s 3620
  2⤵
  - Program crash
  PID:1676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2212 -ip 2212
1⤵
PID:3416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 1912 -ip 1912
1⤵
PID:2484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 208 -s 5976
  2⤵
  - Program crash
  PID:4984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 208 -ip 208
1⤵
PID:1124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4904 -s 7472
  2⤵
  - Program crash
  PID:4316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1856
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1856 -s 3548
  2⤵
  - Program crash
  PID:2624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1856 -ip 1856
1⤵
PID:3608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4904 -ip 4904
1⤵
PID:4168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3592
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3592 -s 6172
  2⤵
  - Program crash
  PID:4460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1356 -s 3544
  2⤵
  - Program crash
  PID:3312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 1356 -ip 1356
1⤵
PID:1484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3592 -ip 3592
1⤵
PID:1644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2724 -s 3928
  2⤵
  - Program crash
  PID:956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4580 -s 5828
  2⤵
  - Program crash
  PID:2196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4580 -ip 4580
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1516 -s 7240
  2⤵
  - Program crash
  PID:4568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2724 -ip 2724
1⤵
PID:4452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1516 -ip 1516
1⤵
PID:4888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2840 -s 3548
  2⤵
  - Program crash
  PID:3416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 2840 -ip 2840
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
6ddab3d220aa64de376518f09581a3ce

SHA1
e2dbd1a5cadfb2fb9f74ace1328c39c20d9528e5

SHA256
7a6b0f6ee2e98e0070387d2c74ac65e6758cdf170f1a8e35b13349aa399f95af

SHA512
16c3df2683a8382ddfe249fe6fbbae5b793c9c1971bd7333d768fc6c5f76a8b6118f9a5dc0e11459a84994c74ea11e51225524e17462722832537385865e3b21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
f84822038aa5f1a5fb685de4ef5d9e5a

SHA1
e35073bdaea26a4aee53b5522e017812f4cf6237

SHA256
92c02fe2d41ac986e25362de480c3336d8f5874c4208cd06f9596c8d766e0829

SHA512
5aca2888b25b8d812bdf5b8dada17863e97c115e5dd4d069dc640d98b64542ed2dc5900abea1e657bf4566c2e0a5d820fdccbc931b0ff26270e73d53ccef77f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
406347732c383e23c3b1af590a47bccd

SHA1
fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

SHA256
e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

SHA512
18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
memory/776-31-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/780-182-0x00000297C1FD0000-0x00000297C1FF0000-memory.dmp

Filesize
128KB

Download
memory/780-184-0x00000297C26E0000-0x00000297C2700000-memory.dmp

Filesize
128KB

Download
memory/780-179-0x00000297C2320000-0x00000297C2340000-memory.dmp

Filesize
128KB

Download
memory/1356-364-0x0000017094280000-0x00000170942A0000-memory.dmp

Filesize
128KB

Download
memory/1356-370-0x0000017094650000-0x0000017094670000-memory.dmp

Filesize
128KB

Download
memory/1356-367-0x0000017094240000-0x0000017094260000-memory.dmp

Filesize
128KB

Download
memory/1488-171-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1724-17-0x000001A05C960000-0x000001A05C980000-memory.dmp

Filesize
128KB

Download
memory/1724-20-0x000001A05CD70000-0x000001A05CD90000-memory.dmp

Filesize
128KB

Download
memory/1724-15-0x000001A05C9A0000-0x000001A05C9C0000-memory.dmp

Filesize
128KB

Download
memory/1736-8-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1856-350-0x000001A0F04E0000-0x000001A0F0500000-memory.dmp

Filesize
128KB

Download
memory/1856-347-0x000001A0EFDD0000-0x000001A0EFDF0000-memory.dmp

Filesize
128KB

Download
memory/1856-344-0x000001A0F0120000-0x000001A0F0140000-memory.dmp

Filesize
128KB

Download
memory/1912-312-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/2212-320-0x000002548CA40000-0x000002548CA60000-memory.dmp

Filesize
128KB

Download
memory/2212-322-0x000002548CA00000-0x000002548CA20000-memory.dmp

Filesize
128KB

Download
memory/2212-324-0x000002548CE00000-0x000002548CE20000-memory.dmp

Filesize
128KB

Download
memory/2648-298-0x0000025EC1580000-0x0000025EC15A0000-memory.dmp

Filesize
128KB

Download
memory/2648-300-0x0000025EC1540000-0x0000025EC1560000-memory.dmp

Filesize
128KB

Download
memory/2648-302-0x0000025EC1950000-0x0000025EC1970000-memory.dmp

Filesize
128KB

Download
memory/2660-113-0x000001F325360000-0x000001F325380000-memory.dmp

Filesize
128KB

Download
memory/2660-111-0x000001F324F50000-0x000001F324F70000-memory.dmp

Filesize
128KB

Download
memory/2660-109-0x000001F324F90000-0x000001F324FB0000-memory.dmp

Filesize
128KB

Download
memory/2764-125-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/3052-162-0x000002AEFDDC0000-0x000002AEFDDE0000-memory.dmp

Filesize
128KB

Download
memory/3052-158-0x000002AEFD7B0000-0x000002AEFD7D0000-memory.dmp

Filesize
128KB

Download
memory/3052-156-0x000002AEFDA00000-0x000002AEFDA20000-memory.dmp

Filesize
128KB

Download
memory/3248-148-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/3252-243-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/3368-78-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/3396-291-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/3468-42-0x000002C4EFFD0000-0x000002C4EFFF0000-memory.dmp

Filesize
128KB

Download
memory/3468-40-0x000002C4EF9C0000-0x000002C4EF9E0000-memory.dmp

Filesize
128KB

Download
memory/3468-38-0x000002C4EFC00000-0x000002C4EFC20000-memory.dmp

Filesize
128KB

Download
memory/3592-356-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/3816-101-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/3952-194-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/4028-91-0x00000199DD1A0000-0x00000199DD1C0000-memory.dmp

Filesize
128KB

Download
memory/4028-92-0x00000199DD5B0000-0x00000199DD5D0000-memory.dmp

Filesize
128KB

Download
memory/4028-86-0x00000199DD1E0000-0x00000199DD200000-memory.dmp

Filesize
128KB

Download
memory/4044-252-0x000001309E920000-0x000001309E940000-memory.dmp

Filesize
128KB

Download
memory/4044-250-0x000001309E960000-0x000001309E980000-memory.dmp

Filesize
128KB

Download
memory/4044-254-0x000001309ED30000-0x000001309ED50000-memory.dmp

Filesize
128KB

Download
memory/4084-218-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/4120-55-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/4132-133-0x0000024543A00000-0x0000024543A20000-memory.dmp

Filesize
128KB

Download
memory/4132-137-0x0000024543DD0000-0x0000024543DF0000-memory.dmp

Filesize
128KB

Download
memory/4132-135-0x00000245439C0000-0x00000245439E0000-memory.dmp

Filesize
128KB

Download
memory/4376-207-0x000001F863650000-0x000001F863670000-memory.dmp

Filesize
128KB

Download
memory/4376-204-0x000001F863200000-0x000001F863220000-memory.dmp

Filesize
128KB

Download
memory/4376-202-0x000001F863240000-0x000001F863260000-memory.dmp

Filesize
128KB

Download
memory/4780-65-0x0000029FC29E0000-0x0000029FC2A00000-memory.dmp

Filesize
128KB

Download
memory/4780-68-0x0000029FC3180000-0x0000029FC31A0000-memory.dmp

Filesize
128KB

Download
memory/4780-63-0x0000029FC2D20000-0x0000029FC2D40000-memory.dmp

Filesize
128KB

Download
memory/4848-266-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4904-336-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4948-229-0x000001F4633E0000-0x000001F463400000-memory.dmp

Filesize
128KB

Download
memory/4948-226-0x000001F463620000-0x000001F463640000-memory.dmp

Filesize
128KB

Download
memory/4948-231-0x000001F4639F0000-0x000001F463A10000-memory.dmp

Filesize
128KB

Download
memory/4984-277-0x0000023E549C0000-0x0000023E549E0000-memory.dmp

Filesize
128KB

Download
memory/4984-274-0x0000023E54D00000-0x0000023E54D20000-memory.dmp

Filesize
128KB

Download
memory/4984-279-0x0000023E550D0000-0x0000023E550F0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads