f8734f8fbe2bafdc37c3f973250cef2918b17aec956a9de3f89d31f0f1b8306c

Analysis

max time kernel
25s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8734f8fbe2bafdc37c3f973250cef2918b17aec956a9de3f89d31f0f1b8306c.exe
Size

2.7MB
MD5

7a198742fbeb37e2a53ce5a11bd9728e
SHA1

e0be8345b42cacefdab8f17310e8738e82cc4fbf
SHA256

f8734f8fbe2bafdc37c3f973250cef2918b17aec956a9de3f89d31f0f1b8306c
SHA512

6f55b9fdc46804fcd49204ba9f2012688f8d0170e986e99336447bf5070730cd7a24d7cd541ce4fb46826ba97c2a4074cd8a3fc23e8e38873556cd20d8bc461e
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlFp6cG1o96FSS8Pf7O:Q+8X9G3vP3AM/UcsvFSHS

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 51 IoCs

pid	pid_target	Process	procid_target
3768	4112	WerFault.exe	86
3732	2676	WerFault.exe	94
1992	3572	WerFault.exe	104
2816	3292	WerFault.exe	102
3320	3812	WerFault.exe	112
1868	3500	WerFault.exe	110
1992	1800	WerFault.exe	120
2020	4828	WerFault.exe	118
4228	3040	WerFault.exe	126
4984	4268	WerFault.exe	134
3752	4132	WerFault.exe	132
4916	4452	WerFault.exe	140
216	2736	WerFault.exe	147
2468	4984	WerFault.exe	145
804	3684	WerFault.exe	155
2544	4236	WerFault.exe	153
4160	4020	WerFault.exe	163
1400	656	WerFault.exe	161
4740	2600	WerFault.exe	169
2668	3864	WerFault.exe	176
2160	2756	WerFault.exe	174
4756	2256	WerFault.exe	182
4416	3232	WerFault.exe	189
3380	2512	WerFault.exe	187
4124	3416	WerFault.exe	197
4784	1820	WerFault.exe	195
4016	4680	WerFault.exe	205
3416	1676	WerFault.exe	203
1792	2732	WerFault.exe	211
2160	976	WerFault.exe	218
3220	3304	WerFault.exe	216
4956	3956	WerFault.exe	224
2536	3804	WerFault.exe	231
3680	3512	WerFault.exe	229
3612	1792	WerFault.exe	237
3920	1968	WerFault.exe	244
1348	4388	WerFault.exe	242
4896	2068	WerFault.exe	250
4160	4028	WerFault.exe	255
4728	2328	WerFault.exe	262
3980	1456	WerFault.exe	260
3340	1044	WerFault.exe	269
1712	3688	WerFault.exe	276
4156	548	WerFault.exe	274
4844	2544	WerFault.exe	279
4872	976	WerFault.exe	283
3840	2244	WerFault.exe	292
4192	1460	WerFault.exe	290
528	3112	WerFault.exe	298
2872	3212	WerFault.exe	305
1648	1956	WerFault.exe	303

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{F2146E91-8CC1-4A6A-AE83-2806C9865F47}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{54C06CA2-E5D3-406F-951E-01B363E090B5}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{A0990306-9955-4DE3-9E48-9E0031DE9AEE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{88BD3AA2-D8C9-4712-A2C1-30B4F1BCCE2E}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeCreatePagefilePrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	3292	explorer.exe
Token: SeCreatePagefilePrivilege	3292	explorer.exe
Token: SeShutdownPrivilege	3292	explorer.exe
Token: SeCreatePagefilePrivilege	3292	explorer.exe
Token: SeShutdownPrivilege	3292	explorer.exe
Token: SeCreatePagefilePrivilege	3292	explorer.exe
Token: SeShutdownPrivilege	3292	explorer.exe
Token: SeCreatePagefilePrivilege	3292	explorer.exe
Token: SeShutdownPrivilege	3292	explorer.exe
Token: SeCreatePagefilePrivilege	3292	explorer.exe
Token: SeShutdownPrivilege	3292	explorer.exe
Token: SeCreatePagefilePrivilege	3292	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe
3500	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4636	StartMenuExperienceHost.exe
1276	StartMenuExperienceHost.exe
1376	StartMenuExperienceHost.exe
3572	SearchApp.exe
4388	explorer.exe
3812	SearchApp.exe
2576	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\f8734f8fbe2bafdc37c3f973250cef2918b17aec956a9de3f89d31f0f1b8306c.exe
"C:\Users\Admin\AppData\Local\Temp\f8734f8fbe2bafdc37c3f973250cef2918b17aec956a9de3f89d31f0f1b8306c.exe"
1⤵
PID:3264

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4112 -s 6208
  2⤵
  - Program crash
  PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4112 -ip 4112
1⤵
PID:2188

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2676 -s 6140
  2⤵
  - Program crash
  PID:3732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 2676 -ip 2676
1⤵
PID:2108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3292
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3292 -s 6080
  2⤵
  - Program crash
  PID:2816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3572
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3572 -s 3916
  2⤵
  - Program crash
  PID:1992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3572 -ip 3572
1⤵
PID:1204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3292 -ip 3292
1⤵
PID:2108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3500
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3500 -s 4136
  2⤵
  - Program crash
  PID:1868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3812 -s 3584
  2⤵
  - Program crash
  PID:3320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 3812 -ip 3812
1⤵
PID:4048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3500 -ip 3500
1⤵
PID:3224

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:4828
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4828 -s 7384
  2⤵
  - Program crash
  PID:2020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1800 -s 3600
  2⤵
  - Program crash
  PID:1992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1800 -ip 1800
1⤵
PID:2340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4828 -ip 4828
1⤵
PID:4004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3040 -s 5872
  2⤵
  - Program crash
  PID:4228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 3040 -ip 3040
1⤵
PID:4544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4132 -s 6172
  2⤵
  - Program crash
  PID:3752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4268
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4268 -s 3552
  2⤵
  - Program crash
  PID:4984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4268 -ip 4268
1⤵
PID:4732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4132 -ip 4132
1⤵
PID:4072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4452
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4452 -s 6112
  2⤵
  - Program crash
  PID:4916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 4452 -ip 4452
1⤵
PID:3872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4984 -s 7456
  2⤵
  - Program crash
  PID:2468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2736 -s 3576
  2⤵
  - Program crash
  PID:216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 2736 -ip 2736
1⤵
PID:3352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 4984 -ip 4984
1⤵
PID:804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4236 -s 6336
  2⤵
  - Program crash
  PID:2544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3684
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3684 -s 3560
  2⤵
  - Program crash
  PID:804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3684 -ip 3684
1⤵
PID:1648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4236 -ip 4236
1⤵
PID:1624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:656
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 656 -s 6056
  2⤵
  - Program crash
  PID:1400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4020 -s 2572
  2⤵
  - Program crash
  PID:4160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4020 -ip 4020
1⤵
PID:980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 656 -ip 656
1⤵
PID:3168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2600 -s 6136
  2⤵
  - Program crash
  PID:4740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2600 -ip 2600
1⤵
PID:1872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2756 -s 7284
  2⤵
  - Program crash
  PID:2160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3864 -s 3564
  2⤵
  - Program crash
  PID:2668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3864 -ip 3864
1⤵
PID:1620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2756 -ip 2756
1⤵
PID:3852

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2256
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2256 -s 6104
  2⤵
  - Program crash
  PID:4756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 2256 -ip 2256
1⤵
PID:3404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2512 -s 5996
  2⤵
  - Program crash
  PID:3380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3232 -s 3596
  2⤵
  - Program crash
  PID:4416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3232 -ip 3232
1⤵
PID:444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2512 -ip 2512
1⤵
PID:4784

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1820 -s 5936
  2⤵
  - Program crash
  PID:4784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3416 -s 3556
  2⤵
  - Program crash
  PID:4124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3416 -ip 3416
1⤵
PID:2468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1820 -ip 1820
1⤵
PID:1428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1676 -s 6228
  2⤵
  - Program crash
  PID:3416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4680 -s 3620
  2⤵
  - Program crash
  PID:4016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4680 -ip 4680
1⤵
PID:2244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1676 -ip 1676
1⤵
PID:1084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2732 -s 6164
  2⤵
  - Program crash
  PID:1792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2732 -ip 2732
1⤵
PID:1228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 5928
  2⤵
  - Program crash
  PID:3220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:976
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 976 -s 3580
  2⤵
  - Program crash
  PID:2160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 976 -ip 976
1⤵
PID:4900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3304 -ip 3304
1⤵
PID:2952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3956 -s 5784
  2⤵
  - Program crash
  PID:4956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 3956 -ip 3956
1⤵
PID:2600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3512 -s 7504
  2⤵
  - Program crash
  PID:3680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3804
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3804 -s 3568
  2⤵
  - Program crash
  PID:2536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3804 -ip 3804
1⤵
PID:3684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3512 -ip 3512
1⤵
PID:3604

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1792
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1792 -s 5964
  2⤵
  - Program crash
  PID:3612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1792 -ip 1792
1⤵
PID:1884

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4388
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4388 -s 7216
  2⤵
  - Program crash
  PID:1348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1968 -s 3572
  2⤵
  - Program crash
  PID:3920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 1968 -ip 1968
1⤵
PID:3144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4388 -ip 4388
1⤵
PID:1660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2068 -s 6032
  2⤵
  - Program crash
  PID:4896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2068 -ip 2068
1⤵
PID:4412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4028 -s 6020
  2⤵
  - Program crash
  PID:4160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4028 -ip 4028
1⤵
PID:3356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1456 -s 3972
  2⤵
  - Program crash
  PID:3980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2328 -s 3568
  2⤵
  - Program crash
  PID:4728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2328 -ip 2328
1⤵
PID:1920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1456 -ip 1456
1⤵
PID:3804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1044 -s 6092
  2⤵
  - Program crash
  PID:3340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1044 -ip 1044
1⤵
PID:3632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 548 -s 4308
  2⤵
  - Program crash
  PID:4156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3688
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3688 -s 3560
  2⤵
  - Program crash
  PID:1712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3688 -ip 3688
1⤵
PID:3612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2544 -s 3860
  2⤵
  - Program crash
  PID:4844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 548 -ip 548
1⤵
PID:1720

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:976
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 976 -s 5992
  2⤵
  - Program crash
  PID:4872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2544 -ip 2544
1⤵
PID:1676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 976 -ip 976
1⤵
PID:1892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1460 -s 5792
  2⤵
  - Program crash
  PID:4192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2244
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2244 -s 3576
  2⤵
  - Program crash
  PID:3840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 2244 -ip 2244
1⤵
PID:4764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1460 -ip 1460
1⤵
PID:2536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3112 -s 5824
  2⤵
  - Program crash
  PID:528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3112 -ip 3112
1⤵
PID:1096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1956 -s 7412
  2⤵
  - Program crash
  PID:1648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3212
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3212 -s 3576
  2⤵
  - Program crash
  PID:2872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3212 -ip 3212
1⤵
PID:2132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 1956 -ip 1956
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
29ca2a9bfe32d2d0032f9b9f23c21f95

SHA1
1956973c843d2977ce300d78cb39b7674d7672b1

SHA256
8571fcfed52bd8df54184d5808a24f8a8a356acfcfc3276de2e34c541f452799

SHA512
5facceb938caeb0e7e12215eaae36684c516ca97f82ccc7816df8712b3067b65e9b08889f92ee3aeb6fe3686eee5a0cbe95da9b33f0e58d26384f943bd7d4e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
7c51c2d4b3cafa4840be1b50c3c767d4

SHA1
c9b3a49365a84bc06e1997fcedd9bbfe743d8ba0

SHA256
6c80659ff4d13d0f11ac6c2faae3855f18c518bdb8587d25d261747b05421cde

SHA512
1631023e817a41512b51e57220599908b361d815f20cfa2b0d53d74bdec6a09128a3b7b310c9986f123e664a956dcf4a82c279de45ff8d315de3696e72a38a18

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
406347732c383e23c3b1af590a47bccd

SHA1
fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

SHA256
e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

SHA512
18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml

Filesize
97B

MD5
bc0c3d8c7fd2d9e4c1cac28f314c2f28

SHA1
413955a43a3b93b642d86cc9eaea2068044dff26

SHA256
7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

SHA512
88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

Download Submit
memory/548-345-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/656-141-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/976-261-0x000002C39A980000-0x000002C39A9A0000-memory.dmp

Filesize
128KB

Download
memory/976-264-0x000002C39A940000-0x000002C39A960000-memory.dmp

Filesize
128KB

Download
memory/976-268-0x000002C39AD50000-0x000002C39AD70000-memory.dmp

Filesize
128KB

Download
memory/1456-322-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1676-232-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1800-63-0x00000289CD560000-0x00000289CD580000-memory.dmp

Filesize
128KB

Download
memory/1800-59-0x00000289CD190000-0x00000289CD1B0000-memory.dmp

Filesize
128KB

Download
memory/1800-61-0x00000289CD150000-0x00000289CD170000-memory.dmp

Filesize
128KB

Download
memory/1820-208-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/1968-310-0x000001CB46FE0000-0x000001CB47000000-memory.dmp

Filesize
128KB

Download
memory/1968-304-0x000001CB46BD0000-0x000001CB46BF0000-memory.dmp

Filesize
128KB

Download
memory/1968-307-0x000001CB46B90000-0x000001CB46BB0000-memory.dmp

Filesize
128KB

Download
memory/2328-334-0x00000273180C0000-0x00000273180E0000-memory.dmp

Filesize
128KB

Download
memory/2328-329-0x0000027317AF0000-0x0000027317B10000-memory.dmp

Filesize
128KB

Download
memory/2328-331-0x0000027317AB0000-0x0000027317AD0000-memory.dmp

Filesize
128KB

Download
memory/2512-185-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2736-109-0x000001E741AA0000-0x000001E741AC0000-memory.dmp

Filesize
128KB

Download
memory/2736-105-0x000001E741490000-0x000001E7414B0000-memory.dmp

Filesize
128KB

Download
memory/2736-102-0x000001E7414D0000-0x000001E7414F0000-memory.dmp

Filesize
128KB

Download
memory/2756-161-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/3232-193-0x000001B931420000-0x000001B931440000-memory.dmp

Filesize
128KB

Download
memory/3232-198-0x000001B931830000-0x000001B931850000-memory.dmp

Filesize
128KB

Download
memory/3232-195-0x000001B9311E0000-0x000001B931200000-memory.dmp

Filesize
128KB

Download
memory/3292-10-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3304-253-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/3416-216-0x0000027233770000-0x0000027233790000-memory.dmp

Filesize
128KB

Download
memory/3416-219-0x0000027233730000-0x0000027233750000-memory.dmp

Filesize
128KB

Download
memory/3416-222-0x0000027233B40000-0x0000027233B60000-memory.dmp

Filesize
128KB

Download
memory/3500-29-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/3512-273-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/3572-16-0x0000025990270000-0x0000025990290000-memory.dmp

Filesize
128KB

Download
memory/3572-18-0x0000025990230000-0x0000025990250000-memory.dmp

Filesize
128KB

Download
memory/3572-20-0x0000025990640000-0x0000025990660000-memory.dmp

Filesize
128KB

Download
memory/3684-128-0x000001F867FA0000-0x000001F867FC0000-memory.dmp

Filesize
128KB

Download
memory/3684-130-0x000001F8686B0000-0x000001F8686D0000-memory.dmp

Filesize
128KB

Download
memory/3684-125-0x000001F867FE0000-0x000001F868000000-memory.dmp

Filesize
128KB

Download
memory/3688-352-0x0000020A74660000-0x0000020A74680000-memory.dmp

Filesize
128KB

Download
memory/3688-358-0x0000020A74A20000-0x0000020A74A40000-memory.dmp

Filesize
128KB

Download
memory/3688-354-0x0000020A74620000-0x0000020A74640000-memory.dmp

Filesize
128KB

Download
memory/3804-282-0x000001E6F0290000-0x000001E6F02B0000-memory.dmp

Filesize
128KB

Download
memory/3804-284-0x000001E6F08A0000-0x000001E6F08C0000-memory.dmp

Filesize
128KB

Download
memory/3804-280-0x000001E6F02D0000-0x000001E6F02F0000-memory.dmp

Filesize
128KB

Download
memory/3812-36-0x000002B8BA560000-0x000002B8BA580000-memory.dmp

Filesize
128KB

Download
memory/3812-39-0x000002B8BA520000-0x000002B8BA540000-memory.dmp

Filesize
128KB

Download
memory/3812-41-0x000002B8BA930000-0x000002B8BA950000-memory.dmp

Filesize
128KB

Download
memory/3864-171-0x0000013186AB0000-0x0000013186AD0000-memory.dmp

Filesize
128KB

Download
memory/3864-173-0x00000131870C0000-0x00000131870E0000-memory.dmp

Filesize
128KB

Download
memory/3864-169-0x0000013186AF0000-0x0000013186B10000-memory.dmp

Filesize
128KB

Download
memory/4020-148-0x000001FC8D390000-0x000001FC8D3B0000-memory.dmp

Filesize
128KB

Download
memory/4020-152-0x000001FC8D960000-0x000001FC8D980000-memory.dmp

Filesize
128KB

Download
memory/4020-150-0x000001FC8D350000-0x000001FC8D370000-memory.dmp

Filesize
128KB

Download
memory/4132-75-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/4236-117-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/4268-87-0x0000023492FA0000-0x0000023492FC0000-memory.dmp

Filesize
128KB

Download
memory/4268-89-0x00000234936B0000-0x00000234936D0000-memory.dmp

Filesize
128KB

Download
memory/4268-83-0x0000023492FE0000-0x0000023493000000-memory.dmp

Filesize
128KB

Download
memory/4388-296-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/4680-244-0x00000171ACC20000-0x00000171ACC40000-memory.dmp

Filesize
128KB

Download
memory/4680-240-0x00000171AC860000-0x00000171AC880000-memory.dmp

Filesize
128KB

Download
memory/4680-242-0x00000171AC820000-0x00000171AC840000-memory.dmp

Filesize
128KB

Download
memory/4828-51-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/4984-95-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads