2aaaf992c5573f4501cfc7515258f8577cbd7df77fdf8e99453b0a7deb159e77

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aaaf992c5573f4501cfc7515258f8577cbd7df77fdf8e99453b0a7deb159e77.exe
Size

3.1MB
MD5

1eb8908a3ed956ae41a1f57ccf1ec1f9
SHA1

c2add31975ec78bbfd2fa27f7488340f65b31400
SHA256

2aaaf992c5573f4501cfc7515258f8577cbd7df77fdf8e99453b0a7deb159e77
SHA512

ca2f338abc21b8a8094d653b9b9f175fc10b5650ee69f5a03e189fe3066476047e94431d67d0552676a70a66157ea5a58ecc460a24588061be25faf42962e9c9
SSDEEP

49152:H7TvfU+8X9GrNOsva5RbKhF3ANkTTl9043QLbm25jW7xfglq/OLYxa7Yf:c+8X9G3vP3AMDpQXJ5jWtf//OLYIUf

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 52 IoCs

pid	pid_target	Process	procid_target
3304	848	WerFault.exe	85
1080	4272	WerFault.exe	94
3700	896	WerFault.exe	103
4456	3280	WerFault.exe	101
1772	3464	WerFault.exe	114
3824	3972	WerFault.exe	109
4952	3676	WerFault.exe	125
972	4716	WerFault.exe	122
4808	3896	WerFault.exe	135
1728	2792	WerFault.exe	131
3700	4276	WerFault.exe	144
944	3164	WerFault.exe	141
4092	4432	WerFault.exe	153
2548	4236	WerFault.exe	150
4060	2884	WerFault.exe	161
2792	2948	WerFault.exe	159
2644	4412	WerFault.exe	170
4340	4516	WerFault.exe	167
3088	2988	WerFault.exe	178
332	4308	WerFault.exe	176
652	2520	WerFault.exe	186
1332	1096	WerFault.exe	184
3304	4276	WerFault.exe	195
4328	4436	WerFault.exe	193
1904	2948	WerFault.exe	201
2972	4120	WerFault.exe	209
3764	1844	WerFault.exe	207
2112	2132	WerFault.exe	217
4412	3456	WerFault.exe	215
504	2052	WerFault.exe	223
4732	4708	WerFault.exe	230
4184	4436	WerFault.exe	228
1872	4716	WerFault.exe	236
3736	3860	WerFault.exe	243
960	3052	WerFault.exe	241
4020	3512	WerFault.exe	251
4104	3924	WerFault.exe	249
1776	1696	WerFault.exe	260
688	456	WerFault.exe	258
2776	1232	WerFault.exe	268
1600	2104	WerFault.exe	266
4512	3848	WerFault.exe	274
2832	1820	WerFault.exe	281
3876	4664	WerFault.exe	279
2528	4288	WerFault.exe	288
4264	4104	WerFault.exe	287
4820	3576	WerFault.exe	295
2504	2008	WerFault.exe	302
2552	2436	WerFault.exe	300
4756	3624	WerFault.exe	308
2252	4804	WerFault.exe	313
3960	2968	WerFault.exe	318

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{618D339D-51EE-4784-A453-181B2582A7F3}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{F141EFF9-C6AA-4116-AC57-2A8978D46C26}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	4272	explorer.exe
Token: SeCreatePagefilePrivilege	4272	explorer.exe
Token: SeShutdownPrivilege	3280	explorer.exe
Token: SeCreatePagefilePrivilege	3280	explorer.exe
Token: SeShutdownPrivilege	3280	explorer.exe
Token: SeCreatePagefilePrivilege	3280	explorer.exe
Token: SeShutdownPrivilege	3280	explorer.exe
Token: SeCreatePagefilePrivilege	3280	explorer.exe
Token: SeShutdownPrivilege	3280	explorer.exe
Token: SeCreatePagefilePrivilege	3280	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3704	StartMenuExperienceHost.exe
4048	StartMenuExperienceHost.exe
1320	StartMenuExperienceHost.exe
896	SearchApp.exe
4640	StartMenuExperienceHost.exe
3464	SearchApp.exe
4620	StartMenuExperienceHost.exe
3676	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\2aaaf992c5573f4501cfc7515258f8577cbd7df77fdf8e99453b0a7deb159e77.exe
"C:\Users\Admin\AppData\Local\Temp\2aaaf992c5573f4501cfc7515258f8577cbd7df77fdf8e99453b0a7deb159e77.exe"
1⤵
PID:3932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 848 -s 6160
  2⤵
  - Program crash
  PID:3304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 848 -ip 848
1⤵
PID:2888

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4272 -s 6000
  2⤵
  - Program crash
  PID:1080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4272 -ip 4272
1⤵
PID:3336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3280 -s 7144
  2⤵
  - Program crash
  PID:4456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 896 -s 3668
  2⤵
  - Program crash
  PID:3700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 896 -ip 896
1⤵
PID:4936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3280 -ip 3280
1⤵
PID:3336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3972 -s 7412
  2⤵
  - Program crash
  PID:3824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3464 -s 3580
  2⤵
  - Program crash
  PID:1772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3464 -ip 3464
1⤵
PID:1512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3972 -ip 3972
1⤵
PID:1728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4716 -s 7460
  2⤵
  - Program crash
  PID:972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3676 -s 3600
  2⤵
  - Program crash
  PID:4952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3676 -ip 3676
1⤵
PID:2848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 4716 -ip 4716
1⤵
PID:4840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2792
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2792 -s 3600
  2⤵
  - Program crash
  PID:1728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3896 -s 3536
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3896 -ip 3896
1⤵
PID:3624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2792 -ip 2792
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3164 -s 1864
  2⤵
  - Program crash
  PID:944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3856

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4276 -s 3608
  2⤵
  - Program crash
  PID:3700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4276 -ip 4276
1⤵
PID:4960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 3164 -ip 3164
1⤵
PID:1264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4236 -s 5932
  2⤵
  - Program crash
  PID:2548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4432
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4432 -s 3616
  2⤵
  - Program crash
  PID:4092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4432 -ip 4432
1⤵
PID:3500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4236 -ip 4236
1⤵
PID:4508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2948 -s 6044
  2⤵
  - Modifies Installed Components in the registry
  - Program crash
  - Modifies registry class
  PID:2792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2884 -s 3596
  2⤵
  - Program crash
  PID:4060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 2884 -ip 2884
1⤵
PID:1456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2948 -ip 2948
1⤵
PID:2176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4516 -s 992
  2⤵
  - Program crash
  PID:4340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4412 -s 3556
  2⤵
  - Program crash
  PID:2644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4412 -ip 4412
1⤵
PID:3340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4516 -ip 4516
1⤵
PID:2780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4308 -s 6000
  2⤵
  - Program crash
  PID:332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2988
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2988 -s 3524
  2⤵
  - Program crash
  PID:3088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 2988 -ip 2988
1⤵
PID:3808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4308 -ip 4308
1⤵
PID:2884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1096
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1096 -s 5924
  2⤵
  - Program crash
  PID:1332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2520 -s 3528
  2⤵
  - Program crash
  PID:652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2520 -ip 2520
1⤵
PID:1728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 1096 -ip 1096
1⤵
PID:3284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4436
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4436 -s 5588
  2⤵
  - Program crash
  PID:4328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4276 -s 3548
  2⤵
  - Program crash
  PID:3304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4276 -ip 4276
1⤵
PID:3560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 4436 -ip 4436
1⤵
PID:3452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2948 -s 5828
  2⤵
  - Program crash
  PID:1904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 2948 -ip 2948
1⤵
PID:2700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1844 -s 7492
  2⤵
  - Program crash
  PID:3764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4120
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4120 -s 3588
  2⤵
  - Program crash
  PID:2972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4120 -ip 4120
1⤵
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 1844 -ip 1844
1⤵
PID:2872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3456 -s 4856
  2⤵
  - Program crash
  PID:4412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2132 -s 2708
  2⤵
  - Program crash
  PID:2112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2132 -ip 2132
1⤵
PID:3856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3456 -ip 3456
1⤵
PID:712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2052 -s 6128
  2⤵
  - Program crash
  PID:504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2052 -ip 2052
1⤵
PID:4276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4436
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4436 -s 5944
  2⤵
  - Program crash
  PID:4184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4708 -s 3584
  2⤵
  - Program crash
  PID:4732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4708 -ip 4708
1⤵
PID:4692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4436 -ip 4436
1⤵
PID:3700

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:4716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4716 -s 5968
  2⤵
  - Program crash
  PID:1872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4716 -ip 4716
1⤵
PID:5072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3052 -s 3392
  2⤵
  - Program crash
  PID:960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3860
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3860 -s 3564
  2⤵
  - Program crash
  PID:3736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3860 -ip 3860
1⤵
PID:4516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3052 -ip 3052
1⤵
PID:2280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3924
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3924 -s 7396
  2⤵
  - Program crash
  PID:4104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3512 -s 3584
  2⤵
  - Program crash
  PID:4020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3512 -ip 3512
1⤵
PID:2688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 3924 -ip 3924
1⤵
PID:5092

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 456 -s 6264
  2⤵
  - Program crash
  PID:688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:64

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1696 -s 3592
  2⤵
  - Program crash
  PID:1776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 1696 -ip 1696
1⤵
PID:3640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 456 -ip 456
1⤵
PID:840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2104
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2104 -s 5980
  2⤵
  - Program crash
  PID:1600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1232 -s 3596
  2⤵
  - Program crash
  PID:2776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1232 -ip 1232
1⤵
PID:3800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2104 -ip 2104
1⤵
PID:2408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3848 -s 6040
  2⤵
  - Program crash
  PID:4512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3848 -ip 3848
1⤵
PID:1084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4664 -s 7432
  2⤵
  - Program crash
  PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1820 -s 3584
  2⤵
  - Program crash
  PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 1820 -ip 1820
1⤵
PID:3472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4664 -ip 4664
1⤵
PID:4772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4104
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4104 -s 5808
  2⤵
  - Program crash
  PID:4264

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4288
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4288 -s 3764
  2⤵
  - Program crash
  PID:2528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4288 -ip 4288
1⤵
PID:2968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4104 -ip 4104
1⤵
PID:1820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3576
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3576 -s 5888
  2⤵
  - Program crash
  PID:4820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3576 -ip 3576
1⤵
PID:3792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2436
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2436 -s 6108
  2⤵
  - Program crash
  PID:2552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2008 -s 3596
  2⤵
  - Program crash
  PID:2504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2008 -ip 2008
1⤵
PID:2884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2436 -ip 2436
1⤵
PID:1180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3624 -s 6080
  2⤵
  - Program crash
  PID:4756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3624 -ip 3624
1⤵
PID:2284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4804
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4804 -s 5960
  2⤵
  - Program crash
  PID:2252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4804 -ip 4804
1⤵
PID:5108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2968 -s 6028
  2⤵
  - Program crash
  PID:3960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2968 -ip 2968
1⤵
PID:5112

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
29ca2a9bfe32d2d0032f9b9f23c21f95

SHA1
1956973c843d2977ce300d78cb39b7674d7672b1

SHA256
8571fcfed52bd8df54184d5808a24f8a8a356acfcfc3276de2e34c541f452799

SHA512
5facceb938caeb0e7e12215eaae36684c516ca97f82ccc7816df8712b3067b65e9b08889f92ee3aeb6fe3686eee5a0cbe95da9b33f0e58d26384f943bd7d4e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
d21c9220d2058981639f9598bef5e3ff

SHA1
e26bc394ac371fd001c2d23eaf804289a1e82566

SHA256
8df13c840b0f83efcb329268538c3bf4a273f7c4726e39fb9f840fd1096fe3e1

SHA512
c98d8cfd659c150c389e5f2f718e6a0200c9c4eb4d509fd9708e9db5f3dc106f8ba38c5355b2739115936162169e134e9be6d54aca4b17adbe8903708f863339

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
memory/896-22-0x000001E466080000-0x000001E4660A0000-memory.dmp

Filesize
128KB

Download
memory/896-18-0x000001E465C70000-0x000001E465C90000-memory.dmp

Filesize
128KB

Download
memory/896-16-0x000001E465CB0000-0x000001E465CD0000-memory.dmp

Filesize
128KB

Download
memory/1096-212-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/1844-259-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2132-293-0x00000181CF630000-0x00000181CF650000-memory.dmp

Filesize
128KB

Download
memory/2132-290-0x00000181CF670000-0x00000181CF690000-memory.dmp

Filesize
128KB

Download
memory/2132-296-0x00000181CFA40000-0x00000181CFA60000-memory.dmp

Filesize
128KB

Download
memory/2520-222-0x0000021203490000-0x00000212034B0000-memory.dmp

Filesize
128KB

Download
memory/2520-220-0x00000212034D0000-0x00000212034F0000-memory.dmp

Filesize
128KB

Download
memory/2520-226-0x00000212038A0000-0x00000212038C0000-memory.dmp

Filesize
128KB

Download
memory/2792-74-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2884-151-0x000002485BE20000-0x000002485BE40000-memory.dmp

Filesize
128KB

Download
memory/2884-153-0x000002485BBD0000-0x000002485BBF0000-memory.dmp

Filesize
128KB

Download
memory/2884-156-0x000002485C1E0000-0x000002485C200000-memory.dmp

Filesize
128KB

Download
memory/2948-143-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/2988-199-0x0000018266200000-0x0000018266220000-memory.dmp

Filesize
128KB

Download
memory/2988-197-0x0000018266240000-0x0000018266260000-memory.dmp

Filesize
128KB

Download
memory/2988-202-0x0000018266610000-0x0000018266630000-memory.dmp

Filesize
128KB

Download
memory/3052-329-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/3164-97-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/3280-9-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/3456-282-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3464-43-0x000001AB4F8C0000-0x000001AB4F8E0000-memory.dmp

Filesize
128KB

Download
memory/3464-41-0x000001AB4F2B0000-0x000001AB4F2D0000-memory.dmp

Filesize
128KB

Download
memory/3464-39-0x000001AB4F2F0000-0x000001AB4F310000-memory.dmp

Filesize
128KB

Download
memory/3512-364-0x0000017E09E50000-0x0000017E09E70000-memory.dmp

Filesize
128KB

Download
memory/3512-362-0x0000017E09A40000-0x0000017E09A60000-memory.dmp

Filesize
128KB

Download
memory/3512-360-0x0000017E09A80000-0x0000017E09AA0000-memory.dmp

Filesize
128KB

Download
memory/3676-61-0x00000175D4280000-0x00000175D42A0000-memory.dmp

Filesize
128KB

Download
memory/3676-64-0x00000175D4690000-0x00000175D46B0000-memory.dmp

Filesize
128KB

Download
memory/3676-59-0x00000175D42C0000-0x00000175D42E0000-memory.dmp

Filesize
128KB

Download
memory/3860-337-0x000001873ED60000-0x000001873ED80000-memory.dmp

Filesize
128KB

Download
memory/3860-340-0x000001873ED20000-0x000001873ED40000-memory.dmp

Filesize
128KB

Download
memory/3860-344-0x000001873F120000-0x000001873F140000-memory.dmp

Filesize
128KB

Download
memory/3896-85-0x000001D831BC0000-0x000001D831BE0000-memory.dmp

Filesize
128KB

Download
memory/3896-82-0x000001D831C00000-0x000001D831C20000-memory.dmp

Filesize
128KB

Download
memory/3896-89-0x000001D831FD0000-0x000001D831FF0000-memory.dmp

Filesize
128KB

Download
memory/3924-352-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3972-31-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/4120-272-0x00000191FC060000-0x00000191FC080000-memory.dmp

Filesize
128KB

Download
memory/4120-269-0x00000191FBA50000-0x00000191FBA70000-memory.dmp

Filesize
128KB

Download
memory/4120-267-0x00000191FBA90000-0x00000191FBAB0000-memory.dmp

Filesize
128KB

Download
memory/4236-121-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/4276-243-0x000002BFC96F0000-0x000002BFC9710000-memory.dmp

Filesize
128KB

Download
memory/4276-248-0x000002BFC9CC0000-0x000002BFC9CE0000-memory.dmp

Filesize
128KB

Download
memory/4276-105-0x0000023F93380000-0x0000023F933A0000-memory.dmp

Filesize
128KB

Download
memory/4276-107-0x0000023F93340000-0x0000023F93360000-memory.dmp

Filesize
128KB

Download
memory/4276-109-0x0000023F93750000-0x0000023F93770000-memory.dmp

Filesize
128KB

Download
memory/4276-246-0x000002BFC96B0000-0x000002BFC96D0000-memory.dmp

Filesize
128KB

Download
memory/4308-189-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4412-174-0x000001B2E7960000-0x000001B2E7980000-memory.dmp

Filesize
128KB

Download
memory/4412-178-0x000001B2E7D20000-0x000001B2E7D40000-memory.dmp

Filesize
128KB

Download
memory/4412-176-0x000001B2E7920000-0x000001B2E7940000-memory.dmp

Filesize
128KB

Download
memory/4432-128-0x000001FEB9090000-0x000001FEB90B0000-memory.dmp

Filesize
128KB

Download
memory/4432-130-0x000001FEB9050000-0x000001FEB9070000-memory.dmp

Filesize
128KB

Download
memory/4432-132-0x000001FEB9660000-0x000001FEB9680000-memory.dmp

Filesize
128KB

Download
memory/4436-306-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/4436-235-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4516-167-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/4708-318-0x00000146688A0000-0x00000146688C0000-memory.dmp

Filesize
128KB

Download
memory/4708-316-0x0000014668490000-0x00000146684B0000-memory.dmp

Filesize
128KB

Download
memory/4708-314-0x00000146684D0000-0x00000146684F0000-memory.dmp

Filesize
128KB

Download
memory/4716-51-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads