759ab637f73f8c8adb9829c6734accea8df01525650d50ca55d53a9243e35eb2

Analysis

max time kernel
29s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759ab637f73f8c8adb9829c6734accea8df01525650d50ca55d53a9243e35eb2.exe
Size

2.8MB
MD5

1ad2f5ca9115abfdcd6cdee18655a3b0
SHA1

6dbda01bf8c639b1de2d7e240b58aeb9d60aff72
SHA256

759ab637f73f8c8adb9829c6734accea8df01525650d50ca55d53a9243e35eb2
SHA512

fbd2509913b033dd8fec11b07fb749ab3a71fb794afb036946ac1519530b86acaef49095592494ae4b9706e14aa4952202e7b0a4dfaa2c289bf9e3e5eb410aa8
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTl3Kd6CCF+3zj/JDAx9QnJl:Q+8X9G3vP3AMhKUrgzjFAknP

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 49 IoCs

pid	pid_target	Process	procid_target
3672	4656	WerFault.exe	86
2760	1912	WerFault.exe	95
1612	4040	WerFault.exe	102
3144	2932	WerFault.exe	109
4200	4888	WerFault.exe	107
4664	3048	WerFault.exe	117
1004	4052	WerFault.exe	115
4424	2384	WerFault.exe	125
4080	4928	WerFault.exe	123
4424	4068	WerFault.exe	134
1256	3468	WerFault.exe	132
5080	4284	WerFault.exe	142
2820	3368	WerFault.exe	140
4412	1264	WerFault.exe	150
748	3196	WerFault.exe	148
1864	3000	WerFault.exe	158
1552	3744	WerFault.exe	156
4428	4288	WerFault.exe	166
4040	4836	WerFault.exe	164
4644	4840	WerFault.exe	175
392	4196	WerFault.exe	173
4316	3844	WerFault.exe	183
3204	2804	WerFault.exe	181
3720	3444	WerFault.exe	189
3532	2456	WerFault.exe	196
3852	4784	WerFault.exe	194
2804	5116	WerFault.exe	204
4288	4608	WerFault.exe	202
2252	4200	WerFault.exe	212
3120	4248	WerFault.exe	210
3584	2888	WerFault.exe	218
1680	4892	WerFault.exe	225
3456	3196	WerFault.exe	223
4276	4224	WerFault.exe	233
3952	4252	WerFault.exe	231
4988	2748	WerFault.exe	241
3956	3796	WerFault.exe	239
4664	4264	WerFault.exe	249
4880	3208	WerFault.exe	247
1012	3372	WerFault.exe	257
1980	4156	WerFault.exe	255
2320	3696	WerFault.exe	263
4408	2644	WerFault.exe	270
1264	4312	WerFault.exe	268
3524	2152	WerFault.exe	276
3124	3776	WerFault.exe	283
3372	4844	WerFault.exe	281
4248	1956	WerFault.exe	289
3640	4444	WerFault.exe	296

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	WerFault.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{603D94D8-2B2A-444E-8CAE-B75646AF1821}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	WerFault.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	WerFault.exe
Token: SeCreatePagefilePrivilege	4040	WerFault.exe
Token: SeShutdownPrivilege	4040	WerFault.exe
Token: SeCreatePagefilePrivilege	4040	WerFault.exe
Token: SeShutdownPrivilege	4040	WerFault.exe
Token: SeCreatePagefilePrivilege	4040	WerFault.exe
Token: SeShutdownPrivilege	4040	WerFault.exe
Token: SeCreatePagefilePrivilege	4040	WerFault.exe
Token: SeShutdownPrivilege	4040	WerFault.exe
Token: SeCreatePagefilePrivilege	4040	WerFault.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
4656	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	WerFault.exe
4040	WerFault.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4636	StartMenuExperienceHost.exe
3772	StartMenuExperienceHost.exe
3048	SearchApp.exe
1112	StartMenuExperienceHost.exe
2932	WerFault.exe
2624	StartMenuExperienceHost.exe
3048	StartMenuExperienceHost.exe
4024	WerFault.exe
2384	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\759ab637f73f8c8adb9829c6734accea8df01525650d50ca55d53a9243e35eb2.exe
"C:\Users\Admin\AppData\Local\Temp\759ab637f73f8c8adb9829c6734accea8df01525650d50ca55d53a9243e35eb2.exe"
1⤵
PID:2628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4656
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4656 -s 5832
  2⤵
  - Program crash
  PID:3672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4656 -ip 4656
1⤵
PID:4316

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1912
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1912 -s 5876
  2⤵
  - Program crash
  PID:2760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1912 -ip 1912
1⤵
PID:4160

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4040 -s 5912
  2⤵
  - Program crash
  PID:1612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4040 -ip 4040
1⤵
PID:4372

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4888 -s 7332
  2⤵
  - Program crash
  PID:4200

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2932 -s 3692
  2⤵
  - Program crash
  PID:3144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 2932 -ip 2932
1⤵
PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4888 -ip 4888
1⤵
PID:3932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4052 -s 7324
  2⤵
  - Program crash
  PID:1004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3048
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3048 -s 3552
  2⤵
  - Program crash
  PID:4664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3048 -ip 3048
1⤵
PID:3880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4052 -ip 4052
1⤵
PID:4088

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:4928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4928 -s 7300
  2⤵
  - Program crash
  PID:4080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2384 -s 3504
  2⤵
  - Program crash
  PID:4424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2384 -ip 2384
1⤵
PID:3740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4928 -ip 4928
1⤵
PID:3720

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3468
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3468 -s 5844
  2⤵
  - Program crash
  PID:1256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4068 -s 3604
  2⤵
  - Program crash
  PID:4424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4068 -ip 4068
1⤵
PID:1984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3468 -ip 3468
1⤵
PID:3196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3368 -s 7424
  2⤵
  - Program crash
  PID:2820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4284 -s 3552
  2⤵
  - Program crash
  PID:5080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4284 -ip 4284
1⤵
PID:4428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3368 -ip 3368
1⤵
PID:4376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3196
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3196 -s 5792
  2⤵
  - Program crash
  PID:748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1264
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1264 -s 3604
  2⤵
  - Program crash
  PID:4412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 1264 -ip 1264
1⤵
PID:1864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3196 -ip 3196
1⤵
PID:1752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3744 -s 5748
  2⤵
  - Program crash
  PID:1552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3000 -s 3576
  2⤵
  - Program crash
  PID:1864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3000 -ip 3000
1⤵
PID:4244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3744 -ip 3744
1⤵
PID:4884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4836 -s 7328
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4288
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4288 -s 3596
  2⤵
  - Program crash
  PID:4428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4288 -ip 4288
1⤵
PID:4664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4836 -ip 4836
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4196
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4196 -s 6048
  2⤵
  - Program crash
  PID:392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4840 -s 3620
  2⤵
  - Program crash
  PID:4644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4840 -ip 4840
1⤵
PID:2996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4196 -ip 4196
1⤵
PID:3196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2804
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2804 -s 7388
  2⤵
  - Program crash
  PID:3204

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3844 -s 3584
  2⤵
  - Program crash
  PID:4316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3844 -ip 3844
1⤵
PID:4200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2804 -ip 2804
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3444 -s 5960
  2⤵
  - Program crash
  PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3444 -ip 3444
1⤵
PID:3752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4784
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4784 -s 5984
  2⤵
  - Program crash
  PID:3852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2456 -s 3516
  2⤵
  - Program crash
  PID:3532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2456 -ip 2456
1⤵
PID:3008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4784 -ip 4784
1⤵
PID:3776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4608 -s 1096
  2⤵
  - Program crash
  PID:4288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5116
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5116 -s 3576
  2⤵
  - Program crash
  PID:2804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 5116 -ip 5116
1⤵
PID:4880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4608 -ip 4608
1⤵
PID:3632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4248 -s 4000
  2⤵
  - Program crash
  PID:3120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4200
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4200 -s 2588
  2⤵
  - Program crash
  PID:2252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4200 -ip 4200
1⤵
PID:4784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4248 -ip 4248
1⤵
PID:3376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2888 -s 5704
  2⤵
  - Program crash
  PID:3584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 2888 -ip 2888
1⤵
PID:1828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3196
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3196 -s 5772
  2⤵
  - Program crash
  PID:3456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4892 -s 3612
  2⤵
  - Program crash
  PID:1680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 4892 -ip 4892
1⤵
PID:1256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 3196 -ip 3196
1⤵
PID:3508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4252 -s 7380
  2⤵
  - Program crash
  PID:3952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4224 -s 3564
  2⤵
  - Program crash
  PID:4276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4224 -ip 4224
1⤵
PID:1368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4252 -ip 4252
1⤵
PID:3540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3796 -s 7472
  2⤵
  - Program crash
  PID:3956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2748
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2748 -s 3576
  2⤵
  - Program crash
  PID:4988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 2748 -ip 2748
1⤵
PID:2800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3796 -ip 3796
1⤵
PID:4280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3208 -s 7152
  2⤵
  - Program crash
  PID:4880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4264
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4264 -s 3572
  2⤵
  - Program crash
  PID:4664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4264 -ip 4264
1⤵
PID:4388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3208 -ip 3208
1⤵
PID:2820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4156
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4156 -s 7536
  2⤵
  - Program crash
  PID:1980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3372
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3372 -s 3576
  2⤵
  - Program crash
  PID:1012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3372 -ip 3372
1⤵
PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4156 -ip 4156
1⤵
PID:3704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3696 -s 5952
  2⤵
  - Program crash
  PID:2320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 3696 -ip 3696
1⤵
PID:1304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4312 -s 4716
  2⤵
  - Program crash
  PID:1264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2644 -s 3852
  2⤵
  - Program crash
  PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 2644 -ip 2644
1⤵
PID:2356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4312 -ip 4312
1⤵
PID:1584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2152 -s 5952
  2⤵
  - Program crash
  PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2152 -ip 2152
1⤵
PID:4400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4844 -s 7364
  2⤵
  - Program crash
  PID:3372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3776 -s 3536
  2⤵
  - Program crash
  PID:3124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3776 -ip 3776
1⤵
PID:3108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 4844 -ip 4844
1⤵
PID:1872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1956 -s 6044
  2⤵
  - Program crash
  PID:4248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 1956 -ip 1956
1⤵
PID:3460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4444 -s 3544
  2⤵
  - Program crash
  PID:3640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 4444 -ip 4444
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
29ca2a9bfe32d2d0032f9b9f23c21f95

SHA1
1956973c843d2977ce300d78cb39b7674d7672b1

SHA256
8571fcfed52bd8df54184d5808a24f8a8a356acfcfc3276de2e34c541f452799

SHA512
5facceb938caeb0e7e12215eaae36684c516ca97f82ccc7816df8712b3067b65e9b08889f92ee3aeb6fe3686eee5a0cbe95da9b33f0e58d26384f943bd7d4e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
b28b006ecbde1056d253d10b2b236195

SHA1
d2bdff17a5697f9de64068dfa5857bb71ae1d58c

SHA256
08f77c712d6a7a5499bb71943c27bd1df3bdc188a0bb19b7ce2ab643948ce63c

SHA512
62b9e9fd3fc0aaef05bd6ab3aef77310523d61d699d5f74d7fdf575d8f53c09c62459a67c3ef37f65ffc4820ab4989adb40164a6a569dc45136f15046a45e4b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
memory/1264-137-0x000002BD98D60000-0x000002BD98D80000-memory.dmp

Filesize
128KB

Download
memory/1264-134-0x000002BD98750000-0x000002BD98770000-memory.dmp

Filesize
128KB

Download
memory/1264-132-0x000002BD98790000-0x000002BD987B0000-memory.dmp

Filesize
128KB

Download
memory/2384-64-0x0000027ABCFB0000-0x0000027ABCFD0000-memory.dmp

Filesize
128KB

Download
memory/2384-62-0x0000027ABD300000-0x0000027ABD320000-memory.dmp

Filesize
128KB

Download
memory/2384-66-0x0000027ABD6C0000-0x0000027ABD6E0000-memory.dmp

Filesize
128KB

Download
memory/2456-252-0x000001B3B9BC0000-0x000001B3B9BE0000-memory.dmp

Filesize
128KB

Download
memory/2456-250-0x000001B3B95B0000-0x000001B3B95D0000-memory.dmp

Filesize
128KB

Download
memory/2456-248-0x000001B3B95F0000-0x000001B3B9610000-memory.dmp

Filesize
128KB

Download
memory/2748-365-0x000001CF9F640000-0x000001CF9F660000-memory.dmp

Filesize
128KB

Download
memory/2748-363-0x000001CF9F680000-0x000001CF9F6A0000-memory.dmp

Filesize
128KB

Download
memory/2748-368-0x000001CF9FA50000-0x000001CF9FA70000-memory.dmp

Filesize
128KB

Download
memory/2804-216-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2932-20-0x0000028608CA0000-0x0000028608CC0000-memory.dmp

Filesize
128KB

Download
memory/2932-18-0x0000028608890000-0x00000286088B0000-memory.dmp

Filesize
128KB

Download
memory/2932-16-0x00000286088D0000-0x00000286088F0000-memory.dmp

Filesize
128KB

Download
memory/3000-161-0x0000021A9ED70000-0x0000021A9ED90000-memory.dmp

Filesize
128KB

Download
memory/3000-158-0x0000021A9E960000-0x0000021A9E980000-memory.dmp

Filesize
128KB

Download
memory/3000-155-0x0000021A9E9A0000-0x0000021A9E9C0000-memory.dmp

Filesize
128KB

Download
memory/3048-46-0x000001DE10EA0000-0x000001DE10EC0000-memory.dmp

Filesize
128KB

Download
memory/3048-39-0x000001DE108C0000-0x000001DE108E0000-memory.dmp

Filesize
128KB

Download
memory/3048-41-0x000001DE10880000-0x000001DE108A0000-memory.dmp

Filesize
128KB

Download
memory/3196-124-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/3196-309-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/3368-100-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/3468-77-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/3744-147-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3796-355-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/3844-224-0x00000129F1940000-0x00000129F1960000-memory.dmp

Filesize
128KB

Download
memory/3844-226-0x00000129F1900000-0x00000129F1920000-memory.dmp

Filesize
128KB

Download
memory/3844-229-0x00000129F1D10000-0x00000129F1D30000-memory.dmp

Filesize
128KB

Download
memory/4052-31-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4068-85-0x000001FFEAEC0000-0x000001FFEAEE0000-memory.dmp

Filesize
128KB

Download
memory/4068-87-0x000001FFEAE80000-0x000001FFEAEA0000-memory.dmp

Filesize
128KB

Download
memory/4068-90-0x000001FFEB4A0000-0x000001FFEB4C0000-memory.dmp

Filesize
128KB

Download
memory/4196-193-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/4200-297-0x00000191D8240000-0x00000191D8260000-memory.dmp

Filesize
128KB

Download
memory/4200-299-0x00000191D8650000-0x00000191D8670000-memory.dmp

Filesize
128KB

Download
memory/4200-294-0x00000191D8280000-0x00000191D82A0000-memory.dmp

Filesize
128KB

Download
memory/4224-340-0x000002CE74D00000-0x000002CE74D20000-memory.dmp

Filesize
128KB

Download
memory/4224-342-0x000002CE749B0000-0x000002CE749D0000-memory.dmp

Filesize
128KB

Download
memory/4224-344-0x000002CE750C0000-0x000002CE750E0000-memory.dmp

Filesize
128KB

Download
memory/4248-286-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/4252-332-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/4284-108-0x000001D41B560000-0x000001D41B580000-memory.dmp

Filesize
128KB

Download
memory/4284-111-0x000001D41B520000-0x000001D41B540000-memory.dmp

Filesize
128KB

Download
memory/4284-114-0x000001D41B920000-0x000001D41B940000-memory.dmp

Filesize
128KB

Download
memory/4288-182-0x000001916F520000-0x000001916F540000-memory.dmp

Filesize
128KB

Download
memory/4288-178-0x000001916F160000-0x000001916F180000-memory.dmp

Filesize
128KB

Download
memory/4288-180-0x000001916F120000-0x000001916F140000-memory.dmp

Filesize
128KB

Download
memory/4608-263-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4784-240-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/4836-170-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4840-203-0x000001DBBB600000-0x000001DBBB620000-memory.dmp

Filesize
128KB

Download
memory/4840-201-0x000001DBBB640000-0x000001DBBB660000-memory.dmp

Filesize
128KB

Download
memory/4840-205-0x000001DBBBA10000-0x000001DBBBA30000-memory.dmp

Filesize
128KB

Download
memory/4888-9-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/4892-321-0x000002655BAD0000-0x000002655BAF0000-memory.dmp

Filesize
128KB

Download
memory/4892-319-0x000002655B3C0000-0x000002655B3E0000-memory.dmp

Filesize
128KB

Download
memory/4892-317-0x000002655B700000-0x000002655B720000-memory.dmp

Filesize
128KB

Download
memory/4928-54-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/5116-276-0x00000287D4540000-0x00000287D4560000-memory.dmp

Filesize
128KB

Download
memory/5116-271-0x00000287D4170000-0x00000287D4190000-memory.dmp

Filesize
128KB

Download
memory/5116-274-0x00000287D4130000-0x00000287D4150000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads