e2c0bec3e743dc7e01c541dbe32d3b9f663471fa5aedb7ef713c917ddc83b230

Analysis

max time kernel
38s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 15:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e2c0bec3e743dc7e01c541dbe32d3b9f663471fa5aedb7ef713c917ddc83b230.exe
Size

3.5MB
MD5

05f49699a11ab97532a8b7924a4c4f05
SHA1

bb300eba57e85468b3410fd2f543bc03b59acc0c
SHA256

e2c0bec3e743dc7e01c541dbe32d3b9f663471fa5aedb7ef713c917ddc83b230
SHA512

18b20bfd3ebead493ff7df5eb03318fcd54c59fdf9952601e945a705192dff3da17c0993e4c725f7c7f430ab91de15dfcb783f77e96e2c8711f29e32bb4e0c20
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTl6aIf1WSxWxf9Q3C3:Q+8X9G3vP3AM2Txk3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 46 IoCs

pid	pid_target	Process	procid_target
5080	3372	WerFault.exe	85
4988	4284	WerFault.exe	96
1424	4932	WerFault.exe	102
4176	4620	WerFault.exe	110
2008	3952	WerFault.exe	108
3124	2376	WerFault.exe	117
4396	400	WerFault.exe	124
1212	3688	WerFault.exe	122
4060	4712	WerFault.exe	132
4220	1336	WerFault.exe	130
2264	3220	WerFault.exe	140
2428	3492	WerFault.exe	138
1536	3788	WerFault.exe	148
3768	2192	WerFault.exe	146
3000	4240	WerFault.exe	156
4004	4872	WerFault.exe	154
3908	1588	WerFault.exe	164
2304	3100	WerFault.exe	162
540	1048	WerFault.exe	172
3888	2708	WerFault.exe	170
3288	4180	WerFault.exe	178
4608	4224	WerFault.exe	183
4036	3408	WerFault.exe	190
1328	4136	WerFault.exe	188
5032	3444	WerFault.exe	196
4292	1264	WerFault.exe	203
2528	3524	WerFault.exe	201
4580	540	WerFault.exe	211
3536	220	WerFault.exe	209
1704	396	WerFault.exe	219
1040	2104	WerFault.exe	217
2212	2864	WerFault.exe	227
1424	1392	WerFault.exe	225
1540	1796	WerFault.exe	233
3340	3420	WerFault.exe	241
1508	4608	WerFault.exe	239
4036	3768	WerFault.exe	247
4996	4128	WerFault.exe	252
4316	3944	WerFault.exe	259
2012	3592	WerFault.exe	257
1640	3420	WerFault.exe	267
3672	1684	WerFault.exe	265
1336	3736	WerFault.exe	273
3572	3312	WerFault.exe	278
4056	4068	WerFault.exe	279
2108	2164	WerFault.exe	286

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{B724252E-99F1-44B8-B605-8540ECCD129F}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{556AFAE3-E21F-4BAE-8895-321379FE8BF4}	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{BB317844-ECF5-40D3-8C99-3AF22DC1DED0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{49E8C809-8775-470C-B2AE-6149F4C5C2FE}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	3372	explorer.exe
Token: SeCreatePagefilePrivilege	3372	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
3372	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
3952	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
948	StartMenuExperienceHost.exe
3532	StartMenuExperienceHost.exe
4252	StartMenuExperienceHost.exe
2204	SearchApp.exe
1516	StartMenuExperienceHost.exe
4620	SearchApp.exe
4316	StartMenuExperienceHost.exe
2184	StartMenuExperienceHost.exe
400	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\e2c0bec3e743dc7e01c541dbe32d3b9f663471fa5aedb7ef713c917ddc83b230.exe
"C:\Users\Admin\AppData\Local\Temp\e2c0bec3e743dc7e01c541dbe32d3b9f663471fa5aedb7ef713c917ddc83b230.exe"
1⤵
PID:1160

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3372 -s 6156
  2⤵
  - Program crash
  PID:5080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3372 -ip 3372
1⤵
PID:4060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4284 -s 5992
  2⤵
  - Program crash
  PID:4988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4284 -ip 4284
1⤵
PID:500

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4932 -s 6084
  2⤵
  - Program crash
  PID:1424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4932 -ip 4932
1⤵
PID:4844

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3952 -s 7620
  2⤵
  - Program crash
  PID:2008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4620 -s 3608
  2⤵
  - Program crash
  PID:4176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4620 -ip 4620
1⤵
PID:3368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3952 -ip 3952
1⤵
PID:2140

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2376 -s 5768
  2⤵
  - Program crash
  PID:3124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 2376 -ip 2376
1⤵
PID:4336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:3688
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3688 -s 6136
  2⤵
  - Program crash
  PID:1212

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 400 -s 3600
  2⤵
  - Program crash
  PID:4396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 400 -ip 400
1⤵
PID:5052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 204 -p 3688 -ip 3688
1⤵
PID:1656

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1336
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1336 -s 6296
  2⤵
  - Program crash
  PID:4220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4712 -s 3604
  2⤵
  - Program crash
  PID:4060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 4712 -ip 4712
1⤵
PID:2400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 1336 -ip 1336
1⤵
PID:3604

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3492 -s 5712
  2⤵
  - Program crash
  PID:2428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3220 -s 3560
  2⤵
  - Program crash
  PID:2264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 3220 -ip 3220
1⤵
PID:4716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3492 -ip 3492
1⤵
PID:4088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2192 -s 6132
  2⤵
  - Program crash
  PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3524

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3788 -s 3592
  2⤵
  - Program crash
  PID:1536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 204 -p 3788 -ip 3788
1⤵
PID:2704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 2192 -ip 2192
1⤵
PID:1716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4872 -s 6148
  2⤵
  - Program crash
  PID:4004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4240 -s 3592
  2⤵
  - Program crash
  PID:3000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4240 -ip 4240
1⤵
PID:3580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 4872 -ip 4872
1⤵
PID:3736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3100 -s 7464
  2⤵
  - Program crash
  PID:2304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1588
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1588 -s 3596
  2⤵
  - Program crash
  PID:3908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1588 -ip 1588
1⤵
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 3100 -ip 3100
1⤵
PID:948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2708 -s 5888
  2⤵
  - Program crash
  PID:3888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1048
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1048 -s 3568
  2⤵
  - Program crash
  PID:540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1048 -ip 1048
1⤵
PID:1536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2708 -ip 2708
1⤵
PID:1716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4180 -s 5888
  2⤵
  - Program crash
  PID:3288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 4180 -ip 4180
1⤵
PID:868

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4224 -s 5804
  2⤵
  - Program crash
  PID:4608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 4224 -ip 4224
1⤵
PID:3296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4136
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4136 -s 7356
  2⤵
  - Program crash
  PID:1328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3408
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3408 -s 2688
  2⤵
  - Program crash
  PID:4036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 376 -p 3408 -ip 3408
1⤵
PID:3348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4136 -ip 4136
1⤵
PID:4684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3444 -s 5880
  2⤵
  - Program crash
  PID:5032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3444 -ip 3444
1⤵
PID:4040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3524
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3524 -s 7612
  2⤵
  - Program crash
  PID:2528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1264
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1264 -s 3612
  2⤵
  - Program crash
  PID:4292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1264 -ip 1264
1⤵
PID:4300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 3524 -ip 3524
1⤵
PID:4116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 220 -s 7432
  2⤵
  - Program crash
  PID:3536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 540 -s 3532
  2⤵
  - Program crash
  PID:4580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 540 -ip 540
1⤵
PID:3388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 220 -ip 220
1⤵
PID:3964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2104
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2104 -s 7476
  2⤵
  - Program crash
  PID:1040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 396 -s 3584
  2⤵
  - Program crash
  PID:1704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 396 -ip 396
1⤵
PID:640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2104 -ip 2104
1⤵
PID:5048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1392 -s 5828
  2⤵
  - Program crash
  PID:1424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2864 -s 3564
  2⤵
  - Program crash
  PID:2212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2864 -ip 2864
1⤵
PID:3348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1392 -ip 1392
1⤵
PID:4660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1796 -s 5868
  2⤵
  - Program crash
  PID:1540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1796 -ip 1796
1⤵
PID:3864

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4608 -s 6128
  2⤵
  - Program crash
  PID:1508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3420 -s 3616
  2⤵
  - Program crash
  PID:3340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3420 -ip 3420
1⤵
PID:4220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 376 -p 4608 -ip 4608
1⤵
PID:3764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3768 -s 5776
  2⤵
  - Program crash
  PID:4036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3768 -ip 3768
1⤵
PID:3584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4128
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4128 -s 5892
  2⤵
  - Program crash
  PID:4996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4128 -ip 4128
1⤵
PID:4356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3592
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3592 -s 5200
  2⤵
  - Program crash
  PID:2012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3944 -s 3520
  2⤵
  - Program crash
  PID:4316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 196 -p 3944 -ip 3944
1⤵
PID:4804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3592 -ip 3592
1⤵
PID:2304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1684
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1684 -s 5856
  2⤵
  - Program crash
  PID:3672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3420 -s 3544
  2⤵
  - Program crash
  PID:1640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 196 -p 3420 -ip 3420
1⤵
PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1684 -ip 1684
1⤵
PID:3988

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3736 -s 5968
  2⤵
  - Modifies Installed Components in the registry
  - Program crash
  - Modifies registry class
  PID:1336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3736 -ip 3736
1⤵
PID:5048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3312 -s 3936
  2⤵
  - Program crash
  PID:3572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4068 -s 6108
  2⤵
  - Program crash
  PID:4056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3312 -ip 3312
1⤵
PID:3644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4068 -ip 4068
1⤵
PID:1372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2164 -s 5888
  2⤵
  - Program crash
  PID:2108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 2164 -ip 2164
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
29ca2a9bfe32d2d0032f9b9f23c21f95

SHA1
1956973c843d2977ce300d78cb39b7674d7672b1

SHA256
8571fcfed52bd8df54184d5808a24f8a8a356acfcfc3276de2e34c541f452799

SHA512
5facceb938caeb0e7e12215eaae36684c516ca97f82ccc7816df8712b3067b65e9b08889f92ee3aeb6fe3686eee5a0cbe95da9b33f0e58d26384f943bd7d4e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
d28c9b88c064ae4301f8cc0ac1f8c035

SHA1
585ebe0db35f56102bf04f29c5b65df907a91612

SHA256
ad32b829fcac05e97711df3b86642aac86ad69acb6eb4cf17a9797bb86ca3e76

SHA512
0c17f4bc3cbc87285d5273bfb19f99aba7f87a9f94bef343e1b8d7c06be9f093dd05b1128ad91d1dba143b7da292022b690c1af032524e585fa51cb21a0a81c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
memory/220-239-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/396-270-0x000002A2F41F0000-0x000002A2F4210000-memory.dmp

Filesize
128KB

Download
memory/396-272-0x000002A2F41B0000-0x000002A2F41D0000-memory.dmp

Filesize
128KB

Download
memory/396-276-0x000002A2F45C0000-0x000002A2F45E0000-memory.dmp

Filesize
128KB

Download
memory/400-44-0x00000274F6940000-0x00000274F6960000-memory.dmp

Filesize
128KB

Download
memory/400-42-0x00000274F6530000-0x00000274F6550000-memory.dmp

Filesize
128KB

Download
memory/400-40-0x00000274F6570000-0x00000274F6590000-memory.dmp

Filesize
128KB

Download
memory/540-247-0x00000135791A0000-0x00000135791C0000-memory.dmp

Filesize
128KB

Download
memory/540-250-0x0000013579160000-0x0000013579180000-memory.dmp

Filesize
128KB

Download
memory/540-253-0x0000013579570000-0x0000013579590000-memory.dmp

Filesize
128KB

Download
memory/1048-180-0x0000028EE0FD0000-0x0000028EE0FF0000-memory.dmp

Filesize
128KB

Download
memory/1048-178-0x0000028EE1320000-0x0000028EE1340000-memory.dmp

Filesize
128KB

Download
memory/1048-182-0x0000028EE16E0000-0x0000028EE1700000-memory.dmp

Filesize
128KB

Download
memory/1264-224-0x000001DD28FA0000-0x000001DD28FC0000-memory.dmp

Filesize
128KB

Download
memory/1264-226-0x000001DD28F60000-0x000001DD28F80000-memory.dmp

Filesize
128KB

Download
memory/1264-229-0x000001DD29370000-0x000001DD29390000-memory.dmp

Filesize
128KB

Download
memory/1336-55-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1392-285-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1588-157-0x0000019506090000-0x00000195060B0000-memory.dmp

Filesize
128KB

Download
memory/1588-159-0x00000195064A0000-0x00000195064C0000-memory.dmp

Filesize
128KB

Download
memory/1588-155-0x00000195060D0000-0x00000195060F0000-memory.dmp

Filesize
128KB

Download
memory/1684-358-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2104-262-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2192-102-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2708-170-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2864-293-0x000001DB41440000-0x000001DB41460000-memory.dmp

Filesize
128KB

Download
memory/2864-299-0x000001DB41810000-0x000001DB41830000-memory.dmp

Filesize
128KB

Download
memory/2864-295-0x000001DB41400000-0x000001DB41420000-memory.dmp

Filesize
128KB

Download
memory/3100-148-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/3220-88-0x000001DF5FE60000-0x000001DF5FE80000-memory.dmp

Filesize
128KB

Download
memory/3220-92-0x000001DF60480000-0x000001DF604A0000-memory.dmp

Filesize
128KB

Download
memory/3220-86-0x000001DF5FEA0000-0x000001DF5FEC0000-memory.dmp

Filesize
128KB

Download
memory/3408-203-0x00000238832D0000-0x00000238832F0000-memory.dmp

Filesize
128KB

Download
memory/3408-206-0x0000023883290000-0x00000238832B0000-memory.dmp

Filesize
128KB

Download
memory/3408-209-0x00000238838A0000-0x00000238838C0000-memory.dmp

Filesize
128KB

Download
memory/3420-319-0x00000217F26B0000-0x00000217F26D0000-memory.dmp

Filesize
128KB

Download
memory/3420-317-0x00000217F26F0000-0x00000217F2710000-memory.dmp

Filesize
128KB

Download
memory/3420-322-0x00000217F2CC0000-0x00000217F2CE0000-memory.dmp

Filesize
128KB

Download
memory/3420-365-0x0000012F7D0C0000-0x0000012F7D0E0000-memory.dmp

Filesize
128KB

Download
memory/3420-371-0x0000012F7D6A0000-0x0000012F7D6C0000-memory.dmp

Filesize
128KB

Download
memory/3420-369-0x0000012F7D080000-0x0000012F7D0A0000-memory.dmp

Filesize
128KB

Download
memory/3492-78-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3524-216-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3592-335-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3688-32-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/3788-109-0x00000235834D0000-0x00000235834F0000-memory.dmp

Filesize
128KB

Download
memory/3788-113-0x0000023583490000-0x00000235834B0000-memory.dmp

Filesize
128KB

Download
memory/3788-116-0x00000235838A0000-0x00000235838C0000-memory.dmp

Filesize
128KB

Download
memory/3944-348-0x000001CFAA310000-0x000001CFAA330000-memory.dmp

Filesize
128KB

Download
memory/3944-345-0x000001CFA9F00000-0x000001CFA9F20000-memory.dmp

Filesize
128KB

Download
memory/3944-342-0x000001CFA9F40000-0x000001CFA9F60000-memory.dmp

Filesize
128KB

Download
memory/3952-9-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/4136-195-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/4240-134-0x0000020FB8300000-0x0000020FB8320000-memory.dmp

Filesize
128KB

Download
memory/4240-137-0x0000020FB87A0000-0x0000020FB87C0000-memory.dmp

Filesize
128KB

Download
memory/4240-132-0x0000020FB8340000-0x0000020FB8360000-memory.dmp

Filesize
128KB

Download
memory/4608-309-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/4620-16-0x000001D36EC00000-0x000001D36EC20000-memory.dmp

Filesize
128KB

Download
memory/4620-21-0x000001D36EFD0000-0x000001D36EFF0000-memory.dmp

Filesize
128KB

Download
memory/4620-19-0x000001D36EBC0000-0x000001D36EBE0000-memory.dmp

Filesize
128KB

Download
memory/4712-63-0x00000224218D0000-0x00000224218F0000-memory.dmp

Filesize
128KB

Download
memory/4712-65-0x0000022421890000-0x00000224218B0000-memory.dmp

Filesize
128KB

Download
memory/4712-67-0x0000022421EA0000-0x0000022421EC0000-memory.dmp

Filesize
128KB

Download
memory/4872-124-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads