543d10b0b267bf28f6d4a4198ac645268962db0d7964da0a5e7b218725394000

Analysis

max time kernel
26s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

543d10b0b267bf28f6d4a4198ac645268962db0d7964da0a5e7b218725394000.exe
Size

3.2MB
MD5

99e7c89fca875c774409c0afdbaf3788
SHA1

b94c6af51933e1706c726317e6c383c5861649d3
SHA256

543d10b0b267bf28f6d4a4198ac645268962db0d7964da0a5e7b218725394000
SHA512

cb04c8ac4a5134fa63055e92deef92153a45d073c61e3485180b127d99dfa405328b228a884ffe5e4eb157cb90167fa212bb0ebeffebcbe5be430c05bc8ea472
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlnbzqSoTfpUX7ev3Otmx:Q+8X9G3vP3AMp3qxfBv3Otg

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 50 IoCs

pid	pid_target	Process	procid_target
4512	1424	WerFault.exe	87
4300	3476	WerFault.exe	100
5104	1644	WerFault.exe	96
4904	4484	WerFault.exe	106
3384	3972	WerFault.exe	113
4076	3308	WerFault.exe	111
4016	5052	WerFault.exe	121
3900	1856	WerFault.exe	119
3664	1948	WerFault.exe	130
4644	3624	WerFault.exe	127
4736	5092	WerFault.exe	136
3788	572	WerFault.exe	141
2356	4488	WerFault.exe	148
3664	5108	WerFault.exe	146
4132	2912	WerFault.exe	156
2792	4076	WerFault.exe	154
4944	3460	WerFault.exe	162
3352	3972	WerFault.exe	167
4440	3544	WerFault.exe	174
3364	2608	WerFault.exe	172
3692	4480	WerFault.exe	182
572	3924	WerFault.exe	180
4076	5092	WerFault.exe	190
4252	1984	WerFault.exe	188
4848	2272	WerFault.exe	198
3024	4792	WerFault.exe	196
3408	3564	WerFault.exe	206
2660	456	WerFault.exe	204
2912	2600	WerFault.exe	214
1904	3460	WerFault.exe	212
2092	492	WerFault.exe	220
1100	1948	WerFault.exe	227
3588	3996	WerFault.exe	225
5048	3376	WerFault.exe	235
4012	3956	WerFault.exe	233
1488	2004	WerFault.exe	243
3508	3856	WerFault.exe	241
2576	2028	WerFault.exe	250
1208	4648	WerFault.exe	257
2820	3956	WerFault.exe	255
2688	3964	WerFault.exe	265
3352	1904	WerFault.exe	263
5040	3472	WerFault.exe	271
3184	400	WerFault.exe	272
3176	4764	WerFault.exe	277
4248	3100	WerFault.exe	284
2416	1312	WerFault.exe	291
396	2252	WerFault.exe	289
1364	3692	WerFault.exe	299
1104	1236	WerFault.exe	297

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{30E2C959-BA59-4C4B-AD1F-ACAB99A2CD6A}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{CC848C19-D7B4-4D66-B37A-388C83F60F37}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{52C87BED-78F3-4956-A0EC-AF089878C468}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{E8533D68-B59C-46D6-9554-2DEE6BF985F1}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1424	explorer.exe
Token: SeCreatePagefilePrivilege	1424	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeCreatePagefilePrivilege	1644	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1424	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe
3308	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2864	StartMenuExperienceHost.exe
3328	StartMenuExperienceHost.exe
3476	SearchApp.exe
3580	StartMenuExperienceHost.exe
3296	StartMenuExperienceHost.exe
3972	explorer.exe
4488	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\543d10b0b267bf28f6d4a4198ac645268962db0d7964da0a5e7b218725394000.exe
"C:\Users\Admin\AppData\Local\Temp\543d10b0b267bf28f6d4a4198ac645268962db0d7964da0a5e7b218725394000.exe"
1⤵
PID:3760

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1424 -s 6016
  2⤵
  - Program crash
  PID:4512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1424 -ip 1424
1⤵
PID:2228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1644 -s 5920
  2⤵
  - Program crash
  PID:5104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3476
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3476 -s 3908
  2⤵
  - Program crash
  PID:4300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3476 -ip 3476
1⤵
PID:4904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1644 -ip 1644
1⤵
PID:4600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4484 -s 5796
  2⤵
  - Program crash
  PID:4904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4484 -ip 4484
1⤵
PID:1856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3308 -s 5968
  2⤵
  - Program crash
  PID:4076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3972 -s 3584
  2⤵
  - Program crash
  PID:3384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3972 -ip 3972
1⤵
PID:4464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3308 -ip 3308
1⤵
PID:3336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:1856
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1856 -s 7108
  2⤵
  - Program crash
  PID:3900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4488

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5052 -s 3576
  2⤵
  - Program crash
  PID:4016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 5052 -ip 5052
1⤵
PID:3188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1856 -ip 1856
1⤵
PID:4704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3624 -s 6068
  2⤵
  - Program crash
  PID:4644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1948 -s 3604
  2⤵
  - Program crash
  PID:3664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 1948 -ip 1948
1⤵
PID:2232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3624 -ip 3624
1⤵
PID:2208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5092 -s 5804
  2⤵
  - Program crash
  PID:4736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 5092 -ip 5092
1⤵
PID:3156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:572
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 572 -s 5952
  2⤵
  - Program crash
  PID:3788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 572 -ip 572
1⤵
PID:3688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5108 -s 7496
  2⤵
  - Program crash
  PID:3664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4488
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4488 -s 3612
  2⤵
  - Program crash
  PID:2356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 4488 -ip 4488
1⤵
PID:3676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 5108 -ip 5108
1⤵
PID:3452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4076
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4076 -s 7404
  2⤵
  - Program crash
  PID:2792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2912
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2912 -s 3604
  2⤵
  - Program crash
  PID:4132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 2912 -ip 2912
1⤵
PID:2208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4076 -ip 4076
1⤵
PID:952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3460 -s 5948
  2⤵
  - Program crash
  PID:4944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3460 -ip 3460
1⤵
PID:1464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3972 -s 5888
  2⤵
  - Program crash
  PID:3352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3972 -ip 3972
1⤵
PID:4832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2608 -s 7436
  2⤵
  - Program crash
  PID:3364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3544 -s 3532
  2⤵
  - Program crash
  PID:4440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3544 -ip 3544
1⤵
PID:4012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 2608 -ip 2608
1⤵
PID:2916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3924
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3924 -s 7496
  2⤵
  - Program crash
  PID:572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5052

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4480
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4480 -s 3608
  2⤵
  - Program crash
  PID:3692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4480 -ip 4480
1⤵
PID:3408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 3924 -ip 3924
1⤵
PID:456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1984 -s 1976
  2⤵
  - Program crash
  PID:4252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5092 -s 3580
  2⤵
  - Program crash
  PID:4076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 5092 -ip 5092
1⤵
PID:3624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 1984 -ip 1984
1⤵
PID:4348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4792
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4792 -s 6000
  2⤵
  - Program crash
  PID:3024

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2272 -s 3572
  2⤵
  - Program crash
  PID:4848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 2272 -ip 2272
1⤵
PID:568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 4792 -ip 4792
1⤵
PID:2844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 456 -s 3480
  2⤵
  - Program crash
  PID:2660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3564
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3564 -s 3604
  2⤵
  - Program crash
  PID:3408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3564 -ip 3564
1⤵
PID:4420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 456 -ip 456
1⤵
PID:1332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3460 -s 7544
  2⤵
  - Program crash
  PID:1904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4240

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2600 -s 3588
  2⤵
  - Program crash
  PID:2912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2600 -ip 2600
1⤵
PID:4460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3460 -ip 3460
1⤵
PID:3436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 492 -s 5956
  2⤵
  - Program crash
  PID:2092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 492 -ip 492
1⤵
PID:440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3996 -s 7384
  2⤵
  - Program crash
  PID:3588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1948 -s 3556
  2⤵
  - Program crash
  PID:1100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 1948 -ip 1948
1⤵
PID:2524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 3996 -ip 3996
1⤵
PID:3544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3956 -s 5972
  2⤵
  - Program crash
  PID:4012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3376 -s 3496
  2⤵
  - Program crash
  PID:5048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 3376 -ip 3376
1⤵
PID:2524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3956 -ip 3956
1⤵
PID:1948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3856
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3856 -s 6112
  2⤵
  - Program crash
  PID:3508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2004 -s 3620
  2⤵
  - Program crash
  PID:1488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2004 -ip 2004
1⤵
PID:4544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 3856 -ip 3856
1⤵
PID:2208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2028 -s 5968
  2⤵
  - Program crash
  PID:2576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2028 -ip 2028
1⤵
PID:3352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3956 -s 7068
  2⤵
  - Program crash
  PID:2820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4648
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4648 -s 3584
  2⤵
  - Program crash
  PID:1208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 4648 -ip 4648
1⤵
PID:3468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3956 -ip 3956
1⤵
PID:4300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1904 -s 7200
  2⤵
  - Program crash
  PID:3352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3964
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3964 -s 3580
  2⤵
  - Program crash
  PID:2688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3964 -ip 3964
1⤵
PID:2704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 1904 -ip 1904
1⤵
PID:2420

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3472
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3472 -s 6084
  2⤵
  - Program crash
  PID:5040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 400 -s 4024
  2⤵
  - Program crash
  PID:3184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 3472 -ip 3472
1⤵
PID:3988

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4764 -s 5940
  2⤵
  - Program crash
  PID:3176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 400 -ip 400
1⤵
PID:3332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 732 -p 4764 -ip 4764
1⤵
PID:4664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3100 -s 6068
  2⤵
  - Program crash
  PID:4248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 3100 -ip 3100
1⤵
PID:3060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2252 -s 5856
  2⤵
  - Program crash
  PID:396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1312 -s 3528
  2⤵
  - Program crash
  PID:2416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 712 -p 1312 -ip 1312
1⤵
PID:2576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 724 -p 2252 -ip 2252
1⤵
PID:2320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1236 -s 5948
  2⤵
  - Program crash
  PID:1104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1504

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3692 -s 3604
  2⤵
  - Program crash
  PID:1364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 3692 -ip 3692
1⤵
PID:2608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 1236 -ip 1236
1⤵
PID:4892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
29ca2a9bfe32d2d0032f9b9f23c21f95

SHA1
1956973c843d2977ce300d78cb39b7674d7672b1

SHA256
8571fcfed52bd8df54184d5808a24f8a8a356acfcfc3276de2e34c541f452799

SHA512
5facceb938caeb0e7e12215eaae36684c516ca97f82ccc7816df8712b3067b65e9b08889f92ee3aeb6fe3686eee5a0cbe95da9b33f0e58d26384f943bd7d4e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
53cd3b752dc8c6ae5ffe8b8fee879df4

SHA1
e3b6b3fb8831f8cb6d99c3f02fb4e110daf49869

SHA256
fecd03bbb8e1d546640f1f47ea778ab08684314760126a85f21b9f5a1a75bc74

SHA512
c0e730d65dde8624d13e2aa54d47441688a1113cdb9a094fbb30ba1f6c78219a03f450d82ba17edfee652ce64fd5f0af342f7aa692a392fadc7d57eff2cd5420

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
memory/456-240-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1644-8-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1856-53-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1948-88-0x0000019115510000-0x0000019115530000-memory.dmp

Filesize
128KB

Download
memory/1948-299-0x0000021917D30000-0x0000021917D50000-memory.dmp

Filesize
128KB

Download
memory/1948-297-0x0000021917920000-0x0000021917940000-memory.dmp

Filesize
128KB

Download
memory/1948-295-0x0000021917960000-0x0000021917980000-memory.dmp

Filesize
128KB

Download
memory/1948-86-0x0000019115100000-0x0000019115120000-memory.dmp

Filesize
128KB

Download
memory/1948-84-0x0000019115140000-0x0000019115160000-memory.dmp

Filesize
128KB

Download
memory/1984-196-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/2004-344-0x00000285AF480000-0x00000285AF4A0000-memory.dmp

Filesize
128KB

Download
memory/2004-340-0x00000285AF0B0000-0x00000285AF0D0000-memory.dmp

Filesize
128KB

Download
memory/2004-342-0x00000285AF070000-0x00000285AF090000-memory.dmp

Filesize
128KB

Download
memory/2272-227-0x000001F225240000-0x000001F225260000-memory.dmp

Filesize
128KB

Download
memory/2272-233-0x000001F225600000-0x000001F225620000-memory.dmp

Filesize
128KB

Download
memory/2272-229-0x000001F225200000-0x000001F225220000-memory.dmp

Filesize
128KB

Download
memory/2600-271-0x000001D5760D0000-0x000001D5760F0000-memory.dmp

Filesize
128KB

Download
memory/2600-277-0x000001D5766A0000-0x000001D5766C0000-memory.dmp

Filesize
128KB

Download
memory/2600-274-0x000001D576090000-0x000001D5760B0000-memory.dmp

Filesize
128KB

Download
memory/2608-149-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2912-134-0x000002A1929C0000-0x000002A1929E0000-memory.dmp

Filesize
128KB

Download
memory/2912-132-0x000002A192C00000-0x000002A192C20000-memory.dmp

Filesize
128KB

Download
memory/2912-136-0x000002A192FD0000-0x000002A192FF0000-memory.dmp

Filesize
128KB

Download
memory/3308-31-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3376-320-0x000001BE34FA0000-0x000001BE34FC0000-memory.dmp

Filesize
128KB

Download
memory/3376-322-0x000001BE355C0000-0x000001BE355E0000-memory.dmp

Filesize
128KB

Download
memory/3376-318-0x000001BE34FE0000-0x000001BE35000000-memory.dmp

Filesize
128KB

Download
memory/3460-264-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3476-14-0x00000216130D0000-0x00000216130F0000-memory.dmp

Filesize
128KB

Download
memory/3476-20-0x00000216134E0000-0x0000021613500000-memory.dmp

Filesize
128KB

Download
memory/3476-16-0x0000021613090000-0x00000216130B0000-memory.dmp

Filesize
128KB

Download
memory/3544-164-0x000001DA06FA0000-0x000001DA06FC0000-memory.dmp

Filesize
128KB

Download
memory/3544-159-0x000001DA06B90000-0x000001DA06BB0000-memory.dmp

Filesize
128KB

Download
memory/3544-157-0x000001DA06BD0000-0x000001DA06BF0000-memory.dmp

Filesize
128KB

Download
memory/3564-250-0x000001C9C19D0000-0x000001C9C19F0000-memory.dmp

Filesize
128KB

Download
memory/3564-248-0x000001C9C1D20000-0x000001C9C1D40000-memory.dmp

Filesize
128KB

Download
memory/3564-254-0x000001C9C20E0000-0x000001C9C2100000-memory.dmp

Filesize
128KB

Download
memory/3624-76-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3856-332-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/3924-173-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3956-356-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3956-310-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3972-42-0x00000181BD380000-0x00000181BD3A0000-memory.dmp

Filesize
128KB

Download
memory/3972-38-0x00000181BCFB0000-0x00000181BCFD0000-memory.dmp

Filesize
128KB

Download
memory/3972-40-0x00000181BCF70000-0x00000181BCF90000-memory.dmp

Filesize
128KB

Download
memory/3996-287-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/4076-124-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/4480-180-0x0000025FA0040000-0x0000025FA0060000-memory.dmp

Filesize
128KB

Download
memory/4480-183-0x0000025FA0400000-0x0000025FA0420000-memory.dmp

Filesize
128KB

Download
memory/4480-182-0x0000025FA0000000-0x0000025FA0020000-memory.dmp

Filesize
128KB

Download
memory/4488-109-0x000002B92C070000-0x000002B92C090000-memory.dmp

Filesize
128KB

Download
memory/4488-112-0x000002B92C030000-0x000002B92C050000-memory.dmp

Filesize
128KB

Download
memory/4488-114-0x000002B92C440000-0x000002B92C460000-memory.dmp

Filesize
128KB

Download
memory/4648-367-0x0000020EB17E0000-0x0000020EB1800000-memory.dmp

Filesize
128KB

Download
memory/4648-370-0x0000020EB1C30000-0x0000020EB1C50000-memory.dmp

Filesize
128KB

Download
memory/4648-364-0x0000020EB1820000-0x0000020EB1840000-memory.dmp

Filesize
128KB

Download
memory/4792-220-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/5052-61-0x00000138996C0000-0x00000138996E0000-memory.dmp

Filesize
128KB

Download
memory/5052-63-0x0000013899680000-0x00000138996A0000-memory.dmp

Filesize
128KB

Download
memory/5052-66-0x0000013899A90000-0x0000013899AB0000-memory.dmp

Filesize
128KB

Download
memory/5092-204-0x0000023A9A6D0000-0x0000023A9A6F0000-memory.dmp

Filesize
128KB

Download
memory/5092-206-0x0000023A9A690000-0x0000023A9A6B0000-memory.dmp

Filesize
128KB

Download
memory/5092-209-0x0000023A9ACA0000-0x0000023A9ACC0000-memory.dmp

Filesize
128KB

Download
memory/5108-102-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads