f407423a564d3674613cf8c2fcbe451903ebd6a65bb8c4becf5007d0c371a251

Analysis

max time kernel
27s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f407423a564d3674613cf8c2fcbe451903ebd6a65bb8c4becf5007d0c371a251.exe
Size

3.5MB
MD5

e3c94b1c718ecf76d0822fe7babf52d2
SHA1

e1933cbfb5ff5f99b92ac66fa236db1feff1731e
SHA256

f407423a564d3674613cf8c2fcbe451903ebd6a65bb8c4becf5007d0c371a251
SHA512

4643f55c9e42139442605530f1135cb3118f6f8f2a08f74f633696ecef6e9f3a957481e2039b7745be4727487bab15de661720d13bef2c6df1d2eadef3e384fb
SSDEEP

49152:H7TvfU+8X9GrNOsva5RbKhF3ANkTTl9UNL4z2wv3rXnLIE:c+8X9G3vP3AMjUNE3Lp

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\D:	WerFault.exe

Program crash 48 IoCs

pid	pid_target	Process	procid_target
4336	4340	WerFault.exe	87
3996	1192	WerFault.exe	95
4936	960	WerFault.exe	104
4000	3880	WerFault.exe	102
3744	3808	WerFault.exe	113
3184	4732	WerFault.exe	111
4272	3640	WerFault.exe	121
4172	3908	WerFault.exe	119
2328	1316	WerFault.exe	130
3176	968	WerFault.exe	128
5064	4328	WerFault.exe	138
4844	1784	WerFault.exe	136
936	4812	WerFault.exe	146
4844	3692	WerFault.exe	144
416	2940	WerFault.exe	152
4332	4340	WerFault.exe	157
1264	4808	WerFault.exe	164
1648	3464	WerFault.exe	162
2644	3692	WerFault.exe	172
3836	1280	WerFault.exe	170
5064	3164	WerFault.exe	180
3128	2916	WerFault.exe	178
704	3564	WerFault.exe	188
640	2624	WerFault.exe	186
1264	3468	WerFault.exe	196
3788	760	WerFault.exe	194
688	2124	WerFault.exe	202
4216	708	WerFault.exe	209
3464	4276	WerFault.exe	207
5048	3132	WerFault.exe	215
1580	4420	WerFault.exe	220
2612	2064	WerFault.exe	225
4068	4408	WerFault.exe	232
2984	3908	WerFault.exe	230
4284	3484	WerFault.exe	240
4312	3860	WerFault.exe	238
3524	4676	WerFault.exe	248
3020	3932	WerFault.exe	246
1120	4756	WerFault.exe	256
2856	3600	WerFault.exe	254
3908	3356	WerFault.exe	264
4876	4008	WerFault.exe	262
964	4284	WerFault.exe	271
492	3460	WerFault.exe	270
5100	1280	WerFault.exe	276
1264	1844	WerFault.exe	285
1560	1980	WerFault.exe	283
1984	4580	WerFault.exe	293

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{C7076917-2139-4329-B409-6B3C4C76332F}	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{8F4F1522-5C0B-47F0-ACE1-EB4D40D6D3D5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{7BE2E88D-5CC6-47DA-A31B-B808F519E2C0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	4340	explorer.exe
Token: SeCreatePagefilePrivilege	4340	explorer.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	1192	WerFault.exe
Token: SeCreatePagefilePrivilege	1192	WerFault.exe
Token: SeShutdownPrivilege	3880	WerFault.exe
Token: SeCreatePagefilePrivilege	3880	WerFault.exe
Token: SeShutdownPrivilege	3880	WerFault.exe
Token: SeCreatePagefilePrivilege	3880	WerFault.exe
Token: SeShutdownPrivilege	3880	WerFault.exe
Token: SeCreatePagefilePrivilege	3880	WerFault.exe
Token: SeShutdownPrivilege	3880	WerFault.exe
Token: SeCreatePagefilePrivilege	3880	WerFault.exe
Token: SeShutdownPrivilege	3880	WerFault.exe
Token: SeCreatePagefilePrivilege	3880	WerFault.exe
Token: SeShutdownPrivilege	3880	WerFault.exe
Token: SeCreatePagefilePrivilege	3880	WerFault.exe
Token: SeShutdownPrivilege	3880	WerFault.exe
Token: SeCreatePagefilePrivilege	3880	WerFault.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe
4732	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4984	StartMenuExperienceHost.exe
1336	StartMenuExperienceHost.exe
2996	StartMenuExperienceHost.exe
960	Process not Found
4052	StartMenuExperienceHost.exe
3808	SearchApp.exe
2500	WerFault.exe
3640	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\f407423a564d3674613cf8c2fcbe451903ebd6a65bb8c4becf5007d0c371a251.exe
"C:\Users\Admin\AppData\Local\Temp\f407423a564d3674613cf8c2fcbe451903ebd6a65bb8c4becf5007d0c371a251.exe"
1⤵
PID:5016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4340
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4340 -s 6212
  2⤵
  - Program crash
  PID:4336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4340 -ip 4340
1⤵
PID:696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1192 -s 6112
  2⤵
  - Program crash
  PID:3996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 1192 -ip 1192
1⤵
PID:3568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3880 -s 7304
  2⤵
  - Program crash
  PID:4000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 960 -s 3972
  2⤵
  - Program crash
  PID:4936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 960 -ip 960
1⤵
PID:3648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3880 -ip 3880
1⤵
PID:4920

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4732 -s 5688
  2⤵
  - Program crash
  PID:3184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3808 -s 3576
  2⤵
  - Program crash
  PID:3744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3808 -ip 3808
1⤵
PID:3968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 4732 -ip 4732
1⤵
PID:4212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3908
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3908 -s 6312
  2⤵
  - Program crash
  PID:4172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3640 -s 3532
  2⤵
  - Program crash
  PID:4272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3640 -ip 3640
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3908 -ip 3908
1⤵
PID:3320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 968 -s 5932
  2⤵
  - Program crash
  PID:3176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1316
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1316 -s 3600
  2⤵
  - Program crash
  PID:2328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1316 -ip 1316
1⤵
PID:884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 968 -ip 968
1⤵
PID:1508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1784
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1784 -s 7396
  2⤵
  - Program crash
  PID:4844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4328 -s 3572
  2⤵
  - Program crash
  PID:5064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4328 -ip 4328
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 1784 -ip 1784
1⤵
PID:4880

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3692 -s 4488
  2⤵
  - Program crash
  PID:4844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1592

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4812 -s 3596
  2⤵
  - Program crash
  PID:936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4812 -ip 4812
1⤵
PID:4260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3692 -ip 3692
1⤵
PID:3252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2940
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2940 -s 5992
  2⤵
  - Program crash
  PID:416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 2940 -ip 2940
1⤵
PID:5008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4340
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4340 -s 6000
  2⤵
  - Program crash
  PID:4332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4340 -ip 4340
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3880

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3464 -s 7456
  2⤵
  - Program crash
  PID:1648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4808 -s 3612
  2⤵
  - Program crash
  PID:1264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4808 -ip 4808
1⤵
PID:2624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3464 -ip 3464
1⤵
PID:3168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1280 -s 7476
  2⤵
  - Program crash
  PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3692 -s 3580
  2⤵
  - Program crash
  PID:2644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3692 -ip 3692
1⤵
PID:3180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1280 -ip 1280
1⤵
PID:4616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2916 -s 5980
  2⤵
  - Program crash
  PID:3128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3164 -s 3612
  2⤵
  - Program crash
  PID:5064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3164 -ip 3164
1⤵
PID:1756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 2916 -ip 2916
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2624 -s 5528
  2⤵
  - Program crash
  PID:640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3564
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3564 -s 3572
  2⤵
  - Program crash
  PID:704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3564 -ip 3564
1⤵
PID:3404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2624 -ip 2624
1⤵
PID:3324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:760
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 760 -s 1964
  2⤵
  - Program crash
  PID:3788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3468
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3468 -s 3608
  2⤵
  - Program crash
  PID:1264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3468 -ip 3468
1⤵
PID:4000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 760 -ip 760
1⤵
PID:3440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2124
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2124 -s 6128
  2⤵
  - Program crash
  PID:688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 2124 -ip 2124
1⤵
PID:3340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4276 -s 5848
  2⤵
  - Program crash
  PID:3464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 708 -s 3608
  2⤵
  - Program crash
  PID:4216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 708 -ip 708
1⤵
PID:4248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4276 -ip 4276
1⤵
PID:4608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3132 -s 6104
  2⤵
  - Program crash
  PID:5048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3132 -ip 3132
1⤵
PID:3484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4420 -s 5904
  2⤵
  - Program crash
  PID:1580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4420 -ip 4420
1⤵
PID:2500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2064 -s 5980
  2⤵
  - Program crash
  PID:2612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2064 -ip 2064
1⤵
PID:3620

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3908
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3908 -s 6976
  2⤵
  - Program crash
  PID:2984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4336

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4408
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4408 -s 3604
  2⤵
  - Program crash
  PID:4068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4408 -ip 4408
1⤵
PID:3320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3908 -ip 3908
1⤵
PID:3128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3860
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3860 -s 7404
  2⤵
  - Program crash
  PID:4312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3484 -s 3588
  2⤵
  - Program crash
  PID:4284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3484 -ip 3484
1⤵
PID:1164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3860 -ip 3860
1⤵
PID:3240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3932 -s 1084
  2⤵
  - Program crash
  PID:3020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4676 -s 3532
  2⤵
  - Program crash
  PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4676 -ip 4676
1⤵
PID:496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3932 -ip 3932
1⤵
PID:4400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3600 -s 5972
  2⤵
  - Program crash
  PID:2856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4756 -s 3592
  2⤵
  - Program crash
  PID:1120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4756 -ip 4756
1⤵
PID:1164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 3600 -ip 3600
1⤵
PID:3036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4008 -s 6072
  2⤵
  - Program crash
  PID:4876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3356 -s 3596
  2⤵
  - Enumerates connected drives
  - Program crash
  - Modifies registry class
  PID:3908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3356 -ip 3356
1⤵
PID:4836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 4008 -ip 4008
1⤵
PID:4248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3460 -s 3932
  2⤵
  - Program crash
  PID:492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4284 -s 5896
  2⤵
  - Program crash
  PID:964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4284 -ip 4284
1⤵
PID:3128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1280 -s 5836
  2⤵
  - Program crash
  PID:5100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3460 -ip 3460
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1280 -ip 1280
1⤵
PID:4864

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1980 -s 3612
  2⤵
  - Program crash
  PID:1560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1844 -s 3532
  2⤵
  - Program crash
  PID:1264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1844 -ip 1844
1⤵
PID:4476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 1980 -ip 1980
1⤵
PID:972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4580 -s 3568
  2⤵
  - Program crash
  PID:1984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4580 -ip 4580
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
29ca2a9bfe32d2d0032f9b9f23c21f95

SHA1
1956973c843d2977ce300d78cb39b7674d7672b1

SHA256
8571fcfed52bd8df54184d5808a24f8a8a356acfcfc3276de2e34c541f452799

SHA512
5facceb938caeb0e7e12215eaae36684c516ca97f82ccc7816df8712b3067b65e9b08889f92ee3aeb6fe3686eee5a0cbe95da9b33f0e58d26384f943bd7d4e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
bc5135aa8a686417afb9f4b87b946d4b

SHA1
1c4efae1b0144eb5248923197a55e640bac32ddc

SHA256
30d1d727a64cc51dbd4bbfdcf3b1a870ecdd9f2120227c5c9457154533143646

SHA512
f478d2d6b0117d26137e92c81d2fd2e6ee5aafb15f377542fa4050e9d47ea17f9bcaa8bd20700a3949f5deb71e9823e006339b96fa8cec8686c3df12ae136534

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
memory/708-260-0x000001638AD00000-0x000001638AD20000-memory.dmp

Filesize
128KB

Download
memory/708-262-0x000001638A9B0000-0x000001638A9D0000-memory.dmp

Filesize
128KB

Download
memory/708-264-0x000001638B0C0000-0x000001638B0E0000-memory.dmp

Filesize
128KB

Download
memory/760-228-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/960-20-0x00000142744C0000-0x00000142744E0000-memory.dmp

Filesize
128KB

Download
memory/960-17-0x0000014273EA0000-0x0000014273EC0000-memory.dmp

Filesize
128KB

Download
memory/960-15-0x0000014273EE0000-0x0000014273F00000-memory.dmp

Filesize
128KB

Download
memory/968-69-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1280-162-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1316-78-0x00000186A3A70000-0x00000186A3A90000-memory.dmp

Filesize
128KB

Download
memory/1316-76-0x00000186A3AB0000-0x00000186A3AD0000-memory.dmp

Filesize
128KB

Download
memory/1316-80-0x00000186A3E80000-0x00000186A3EA0000-memory.dmp

Filesize
128KB

Download
memory/1784-91-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2624-208-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2916-185-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/3164-198-0x000002278D760000-0x000002278D780000-memory.dmp

Filesize
128KB

Download
memory/3164-195-0x000002278D350000-0x000002278D370000-memory.dmp

Filesize
128KB

Download
memory/3164-193-0x000002278D390000-0x000002278D3B0000-memory.dmp

Filesize
128KB

Download
memory/3464-139-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/3468-238-0x0000015D068E0000-0x0000015D06900000-memory.dmp

Filesize
128KB

Download
memory/3468-236-0x0000015D06920000-0x0000015D06940000-memory.dmp

Filesize
128KB

Download
memory/3468-240-0x0000015D06F00000-0x0000015D06F20000-memory.dmp

Filesize
128KB

Download
memory/3484-309-0x000001B24D4C0000-0x000001B24D4E0000-memory.dmp

Filesize
128KB

Download
memory/3484-311-0x000001B24D480000-0x000001B24D4A0000-memory.dmp

Filesize
128KB

Download
memory/3484-313-0x000001B24DAA0000-0x000001B24DAC0000-memory.dmp

Filesize
128KB

Download
memory/3564-222-0x000002175BD00000-0x000002175BD20000-memory.dmp

Filesize
128KB

Download
memory/3564-216-0x000002175B720000-0x000002175B740000-memory.dmp

Filesize
128KB

Download
memory/3564-218-0x000002175B6E0000-0x000002175B700000-memory.dmp

Filesize
128KB

Download
memory/3600-348-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3640-63-0x000001E2BD030000-0x000001E2BD050000-memory.dmp

Filesize
128KB

Download
memory/3640-59-0x000001E2BCC20000-0x000001E2BCC40000-memory.dmp

Filesize
128KB

Download
memory/3640-56-0x000001E2BCC60000-0x000001E2BCC80000-memory.dmp

Filesize
128KB

Download
memory/3692-173-0x00000285903A0000-0x00000285903C0000-memory.dmp

Filesize
128KB

Download
memory/3692-172-0x000002858FD80000-0x000002858FDA0000-memory.dmp

Filesize
128KB

Download
memory/3692-170-0x000002858FDC0000-0x000002858FDE0000-memory.dmp

Filesize
128KB

Download
memory/3692-114-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/3808-42-0x00000225129D0000-0x00000225129F0000-memory.dmp

Filesize
128KB

Download
memory/3808-45-0x00000225130E0000-0x0000022513100000-memory.dmp

Filesize
128KB

Download
memory/3808-38-0x0000022512D20000-0x0000022512D40000-memory.dmp

Filesize
128KB

Download
memory/3860-301-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/3880-9-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3908-49-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3908-278-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/3932-324-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/4276-253-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/4328-101-0x000002CC8E690000-0x000002CC8E6B0000-memory.dmp

Filesize
128KB

Download
memory/4328-103-0x000002CC8EAA0000-0x000002CC8EAC0000-memory.dmp

Filesize
128KB

Download
memory/4328-99-0x000002CC8E6D0000-0x000002CC8E6F0000-memory.dmp

Filesize
128KB

Download
memory/4408-292-0x000001DC2FB50000-0x000001DC2FB70000-memory.dmp

Filesize
128KB

Download
memory/4408-286-0x000001DC2F780000-0x000001DC2F7A0000-memory.dmp

Filesize
128KB

Download
memory/4408-289-0x000001DC2F740000-0x000001DC2F760000-memory.dmp

Filesize
128KB

Download
memory/4676-332-0x0000022D3E8C0000-0x0000022D3E8E0000-memory.dmp

Filesize
128KB

Download
memory/4676-335-0x0000022D3E880000-0x0000022D3E8A0000-memory.dmp

Filesize
128KB

Download
memory/4676-339-0x0000022D3EC90000-0x0000022D3ECB0000-memory.dmp

Filesize
128KB

Download
memory/4732-30-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/4756-360-0x000001A3D3690000-0x000001A3D36B0000-memory.dmp

Filesize
128KB

Download
memory/4756-358-0x000001A3D3280000-0x000001A3D32A0000-memory.dmp

Filesize
128KB

Download
memory/4756-356-0x000001A3D32C0000-0x000001A3D32E0000-memory.dmp

Filesize
128KB

Download
memory/4808-147-0x00000283E6300000-0x00000283E6320000-memory.dmp

Filesize
128KB

Download
memory/4808-149-0x00000283E5FC0000-0x00000283E5FE0000-memory.dmp

Filesize
128KB

Download
memory/4808-151-0x00000283E6770000-0x00000283E6790000-memory.dmp

Filesize
128KB

Download
memory/4812-126-0x0000021056190000-0x00000210561B0000-memory.dmp

Filesize
128KB

Download
memory/4812-124-0x0000021055D80000-0x0000021055DA0000-memory.dmp

Filesize
128KB

Download
memory/4812-122-0x0000021055DC0000-0x0000021055DE0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads