6424fa9743f00cf244cdda940034b78f70ea6be9d2bd52d3af994ac0c297d08e

Analysis

max time kernel
26s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 16:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6424fa9743f00cf244cdda940034b78f70ea6be9d2bd52d3af994ac0c297d08e.exe
Size

3.4MB
MD5

f06761d34e223e286efdb75e20de3379
SHA1

f0779d1c57f401d9fd913790dea1cd780cbeda27
SHA256

6424fa9743f00cf244cdda940034b78f70ea6be9d2bd52d3af994ac0c297d08e
SHA512

80866fc5e0ee8f95c8faa024a34f60db6096e25cacffc59d66a01709be3f42c9f80bd3de119bba91e151310d436b15949c5e489be3717383e38c0a878df66814
SSDEEP

49152:H7TvfU+8X9GrNOsva5RbKhF3ANkTTlGUB8rQ4U9NiubpbF:c+8X9G3vP3AMIa4ggC5

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 51 IoCs

pid	pid_target	Process	procid_target
3952	2584	WerFault.exe	86
4556	452	WerFault.exe	96
4256	2964	WerFault.exe	105
2860	3660	WerFault.exe	103
4120	3484	WerFault.exe	113
4568	2412	WerFault.exe	111
5000	1556	WerFault.exe	121
4680	2000	WerFault.exe	119
4056	4652	WerFault.exe	130
2236	1164	WerFault.exe	127
3048	4312	WerFault.exe	136
220	1388	WerFault.exe	143
2824	1524	WerFault.exe	141
2564	4488	WerFault.exe	149
4364	2800	WerFault.exe	156
3576	812	WerFault.exe	154
2504	4564	WerFault.exe	162
2460	548	WerFault.exe	167
4076	2896	WerFault.exe	174
1520	1548	WerFault.exe	172
3300	2504	WerFault.exe	182
4516	1196	WerFault.exe	180
4040	1092	WerFault.exe	188
3280	2036	WerFault.exe	195
2800	1960	WerFault.exe	193
3640	2220	WerFault.exe	203
4108	5000	WerFault.exe	201
2840	3520	WerFault.exe	209
544	4804	WerFault.exe	216
2164	4084	WerFault.exe	214
4300	316	WerFault.exe	222
2348	4688	WerFault.exe	229
744	3676	WerFault.exe	227
3932	1148	WerFault.exe	237
2824	4716	WerFault.exe	235
2476	3960	WerFault.exe	243
4380	2920	WerFault.exe	250
2552	3216	WerFault.exe	248
5044	3864	WerFault.exe	258
3972	4356	WerFault.exe	256
216	4284	WerFault.exe	264
2800	1220	WerFault.exe	271
4924	4696	WerFault.exe	269
1156	3748	WerFault.exe	279
3288	4076	WerFault.exe	277
1140	5004	WerFault.exe	287
1504	2960	WerFault.exe	285
1968	4580	WerFault.exe	295
4032	3748	WerFault.exe	293
3204	5060	WerFault.exe	301
4376	3268	WerFault.exe	308

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{0BF4B063-297B-4DCE-B987-F3EBE1B78650}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{70927C7D-DD0E-4B1A-833A-BF4D88F5E25A}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{EA5CB88F-0E43-46BA-A875-F295F3619BA0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{2635F2AC-E7C8-4CD6-95FA-49247B56B6AD}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{B8C84930-02DC-46C7-BE7B-119E12A5AB91}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	2584	explorer.exe
Token: SeCreatePagefilePrivilege	2584	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	3660	explorer.exe
Token: SeCreatePagefilePrivilege	3660	explorer.exe
Token: SeShutdownPrivilege	3660	explorer.exe
Token: SeCreatePagefilePrivilege	3660	explorer.exe
Token: SeShutdownPrivilege	3660	explorer.exe
Token: SeCreatePagefilePrivilege	3660	explorer.exe
Token: SeShutdownPrivilege	3660	explorer.exe
Token: SeCreatePagefilePrivilege	3660	explorer.exe
Token: SeShutdownPrivilege	3660	explorer.exe
Token: SeCreatePagefilePrivilege	3660	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
3660	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4056	StartMenuExperienceHost.exe
3748	SearchApp.exe
3856	StartMenuExperienceHost.exe
692	StartMenuExperienceHost.exe
2964	SearchApp.exe
368	StartMenuExperienceHost.exe
3484	SearchApp.exe
4272	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\6424fa9743f00cf244cdda940034b78f70ea6be9d2bd52d3af994ac0c297d08e.exe
"C:\Users\Admin\AppData\Local\Temp\6424fa9743f00cf244cdda940034b78f70ea6be9d2bd52d3af994ac0c297d08e.exe"
1⤵
PID:2600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2584
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2584 -s 6208
  2⤵
  - Program crash
  PID:3952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 2584 -ip 2584
1⤵
PID:2800

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:452
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 452 -s 6008
  2⤵
  - Program crash
  PID:4556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 452 -ip 452
1⤵
PID:1616

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3660 -s 7456
  2⤵
  - Program crash
  PID:2860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2964
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2964 -s 3712
  2⤵
  - Program crash
  PID:4256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2964 -ip 2964
1⤵
PID:4284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3660 -ip 3660
1⤵
PID:4716

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2412 -s 5792
  2⤵
  - Program crash
  PID:4568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3484 -s 2892
  2⤵
  - Program crash
  PID:4120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3484 -ip 3484
1⤵
PID:4084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 2412 -ip 2412
1⤵
PID:2040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:2000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2000 -s 7444
  2⤵
  - Program crash
  PID:4680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1556
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1556 -s 3544
  2⤵
  - Program crash
  PID:5000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1556 -ip 1556
1⤵
PID:3488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 2000 -ip 2000
1⤵
PID:3972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1164 -s 4924
  2⤵
  - Program crash
  PID:2236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4652 -s 3624
  2⤵
  - Program crash
  PID:4056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4652 -ip 4652
1⤵
PID:2460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 1164 -ip 1164
1⤵
PID:1180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4312 -s 5996
  2⤵
  - Program crash
  PID:3048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 4312 -ip 4312
1⤵
PID:2408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1524
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1524 -s 7380
  2⤵
  - Program crash
  PID:2824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1388
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1388 -s 3556
  2⤵
  - Program crash
  PID:220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1388 -ip 1388
1⤵
PID:4180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1524 -ip 1524
1⤵
PID:2608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4488
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4488 -s 5624
  2⤵
  - Program crash
  PID:2564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4488 -ip 4488
1⤵
PID:4676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 812 -s 7500
  2⤵
  - Program crash
  PID:3576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2800 -s 3608
  2⤵
  - Program crash
  PID:4364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 2800 -ip 2800
1⤵
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 812 -ip 812
1⤵
PID:3428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4564
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4564 -s 5856
  2⤵
  - Program crash
  PID:2504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 4564 -ip 4564
1⤵
PID:1892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 548 -s 4988
  2⤵
  - Program crash
  PID:2460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 548 -ip 548
1⤵
PID:1016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1548 -s 7404
  2⤵
  - Program crash
  PID:1520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2896 -s 3588
  2⤵
  - Program crash
  PID:4076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 2896 -ip 2896
1⤵
PID:1960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 684 -p 1548 -ip 1548
1⤵
PID:1092

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1196
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1196 -s 7532
  2⤵
  - Program crash
  PID:4516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2504 -s 3560
  2⤵
  - Program crash
  PID:3300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 2504 -ip 2504
1⤵
PID:1712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 1196 -ip 1196
1⤵
PID:4340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1092 -s 6176
  2⤵
  - Program crash
  PID:4040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 1092 -ip 1092
1⤵
PID:2624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1960 -s 6008
  2⤵
  - Program crash
  PID:2800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2036 -s 3576
  2⤵
  - Program crash
  PID:3280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 2036 -ip 2036
1⤵
PID:3200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1960 -ip 1960
1⤵
PID:2256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5000 -s 6008
  2⤵
  - Program crash
  PID:4108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2220 -s 3576
  2⤵
  - Program crash
  PID:3640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 676 -p 2220 -ip 2220
1⤵
PID:4264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 5000 -ip 5000
1⤵
PID:3992

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3520 -s 6224
  2⤵
  - Program crash
  PID:2840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 3520 -ip 3520
1⤵
PID:1376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4084 -s 7564
  2⤵
  - Program crash
  PID:2164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4804
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4804 -s 3528
  2⤵
  - Program crash
  PID:544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 4804 -ip 4804
1⤵
PID:3160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 732 -p 4084 -ip 4084
1⤵
PID:380

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:316
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 316 -s 5908
  2⤵
  - Program crash
  PID:4300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 316 -ip 316
1⤵
PID:4340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3676 -s 6584
  2⤵
  - Program crash
  PID:744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4688
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4688 -s 3604
  2⤵
  - Program crash
  PID:2348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 4688 -ip 4688
1⤵
PID:4004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 3676 -ip 3676
1⤵
PID:4996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4716 -s 5976
  2⤵
  - Program crash
  PID:2824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1148 -s 2864
  2⤵
  - Program crash
  PID:3932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 772 -p 1148 -ip 1148
1⤵
PID:3376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 772 -p 4716 -ip 4716
1⤵
PID:4232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3960 -s 5968
  2⤵
  - Program crash
  PID:2476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 3960 -ip 3960
1⤵
PID:3620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3216 -s 5900
  2⤵
  - Program crash
  PID:2552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2920 -s 3620
  2⤵
  - Program crash
  PID:4380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 764 -p 2920 -ip 2920
1⤵
PID:2256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 692 -p 3216 -ip 3216
1⤵
PID:3156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4356 -s 5820
  2⤵
  - Program crash
  PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3864 -s 2560
  2⤵
  - Program crash
  PID:5044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 3864 -ip 3864
1⤵
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 4356 -ip 4356
1⤵
PID:1076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4284 -s 6008
  2⤵
  - Program crash
  PID:216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4284 -ip 4284
1⤵
PID:3520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4696 -s 7272
  2⤵
  - Program crash
  PID:4924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1220 -s 3596
  2⤵
  - Program crash
  PID:2800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1220 -ip 1220
1⤵
PID:4180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 4696 -ip 4696
1⤵
PID:2128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4076
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4076 -s 7200
  2⤵
  - Program crash
  PID:3288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3748
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3748 -s 3700
  2⤵
  - Program crash
  PID:1156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3748 -ip 3748
1⤵
PID:4264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4076 -ip 4076
1⤵
PID:3396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2960 -s 3472
  2⤵
  - Program crash
  PID:1504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5004 -s 3580
  2⤵
  - Program crash
  PID:1140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 5004 -ip 5004
1⤵
PID:1076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2960 -ip 2960
1⤵
PID:5060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3748
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3748 -s 5148
  2⤵
  - Program crash
  PID:4032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4580 -s 2668
  2⤵
  - Program crash
  PID:1968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4580 -ip 4580
1⤵
PID:3244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 3748 -ip 3748
1⤵
PID:1284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5060 -s 5992
  2⤵
  - Program crash
  PID:3204

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 5060 -ip 5060
1⤵
PID:4296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3268
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3268 -s 3568
  2⤵
  - Program crash
  PID:4376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 3268 -ip 3268
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
29ca2a9bfe32d2d0032f9b9f23c21f95

SHA1
1956973c843d2977ce300d78cb39b7674d7672b1

SHA256
8571fcfed52bd8df54184d5808a24f8a8a356acfcfc3276de2e34c541f452799

SHA512
5facceb938caeb0e7e12215eaae36684c516ca97f82ccc7816df8712b3067b65e9b08889f92ee3aeb6fe3686eee5a0cbe95da9b33f0e58d26384f943bd7d4e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
79ea8b7996de5c76ab5f1c066b714e75

SHA1
c04872bcb562adf03fb6098dbcdf259d8673c506

SHA256
96584114cd84d3778305c1a3faaf3c202e7c1e372a9f64afb770dcbf350a7a68

SHA512
2255c5ab9883c80c450dbcc93edef65ad566fa51ab2d18d680b3d146ebd05cd0208893788e1d8f2d622a1fdcab51464209663274b6875baf93081cc0fa77c342

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
memory/812-124-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1148-293-0x00000280AA320000-0x00000280AA340000-memory.dmp

Filesize
128KB

Download
memory/1148-295-0x00000280AA2E0000-0x00000280AA300000-memory.dmp

Filesize
128KB

Download
memory/1148-299-0x00000280AA900000-0x00000280AA920000-memory.dmp

Filesize
128KB

Download
memory/1164-77-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

Filesize
4KB

Download
memory/1196-170-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1220-363-0x000001FDA6940000-0x000001FDA6960000-memory.dmp

Filesize
128KB

Download
memory/1220-365-0x000001FDA6900000-0x000001FDA6920000-memory.dmp

Filesize
128KB

Download
memory/1220-367-0x000001FDA6D10000-0x000001FDA6D30000-memory.dmp

Filesize
128KB

Download
memory/1388-110-0x000001E693570000-0x000001E693590000-memory.dmp

Filesize
128KB

Download
memory/1388-112-0x000001E693980000-0x000001E6939A0000-memory.dmp

Filesize
128KB

Download
memory/1388-108-0x000001E6935B0000-0x000001E6935D0000-memory.dmp

Filesize
128KB

Download
memory/1524-101-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download
memory/1548-147-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/1556-64-0x000001F38A900000-0x000001F38A920000-memory.dmp

Filesize
128KB

Download
memory/1556-61-0x000001F38A940000-0x000001F38A960000-memory.dmp

Filesize
128KB

Download
memory/1556-68-0x000001F38AD10000-0x000001F38AD30000-memory.dmp

Filesize
128KB

Download
memory/1960-195-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2000-54-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2036-206-0x000002AEEF2A0000-0x000002AEEF2C0000-memory.dmp

Filesize
128KB

Download
memory/2036-204-0x000002AEEEC90000-0x000002AEEECB0000-memory.dmp

Filesize
128KB

Download
memory/2036-202-0x000002AEEECD0000-0x000002AEEECF0000-memory.dmp

Filesize
128KB

Download
memory/2220-231-0x000001AB1A120000-0x000001AB1A140000-memory.dmp

Filesize
128KB

Download
memory/2220-227-0x000001AB19D20000-0x000001AB19D40000-memory.dmp

Filesize
128KB

Download
memory/2220-225-0x000001AB19D60000-0x000001AB19D80000-memory.dmp

Filesize
128KB

Download
memory/2412-31-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2504-180-0x0000013ACF620000-0x0000013ACF640000-memory.dmp

Filesize
128KB

Download
memory/2504-184-0x0000013ACFA30000-0x0000013ACFA50000-memory.dmp

Filesize
128KB

Download
memory/2504-178-0x0000013ACF660000-0x0000013ACF680000-memory.dmp

Filesize
128KB

Download
memory/2800-134-0x0000020A8C270000-0x0000020A8C290000-memory.dmp

Filesize
128KB

Download
memory/2800-132-0x0000020A8C2B0000-0x0000020A8C2D0000-memory.dmp

Filesize
128KB

Download
memory/2800-136-0x0000020A8C880000-0x0000020A8C8A0000-memory.dmp

Filesize
128KB

Download
memory/2896-160-0x000001A20D8F0000-0x000001A20D910000-memory.dmp

Filesize
128KB

Download
memory/2896-157-0x000001A20D1E0000-0x000001A20D200000-memory.dmp

Filesize
128KB

Download
memory/2896-155-0x000001A20D520000-0x000001A20D540000-memory.dmp

Filesize
128KB

Download
memory/2920-319-0x000002B4C4C50000-0x000002B4C4C70000-memory.dmp

Filesize
128KB

Download
memory/2920-321-0x000002B4C5260000-0x000002B4C5280000-memory.dmp

Filesize
128KB

Download
memory/2920-317-0x000002B4C4C90000-0x000002B4C4CB0000-memory.dmp

Filesize
128KB

Download
memory/2964-18-0x00000152DDB30000-0x00000152DDB50000-memory.dmp

Filesize
128KB

Download
memory/2964-20-0x00000152DE200000-0x00000152DE220000-memory.dmp

Filesize
128KB

Download
memory/2964-15-0x00000152DDB70000-0x00000152DDB90000-memory.dmp

Filesize
128KB

Download
memory/3216-310-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/3484-45-0x0000018DC6980000-0x0000018DC69A0000-memory.dmp

Filesize
128KB

Download
memory/3484-38-0x0000018DC65B0000-0x0000018DC65D0000-memory.dmp

Filesize
128KB

Download
memory/3484-41-0x0000018DC6570000-0x0000018DC6590000-memory.dmp

Filesize
128KB

Download
memory/3660-8-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3676-263-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/3864-342-0x0000017B17350000-0x0000017B17370000-memory.dmp

Filesize
128KB

Download
memory/3864-344-0x0000017B17760000-0x0000017B17780000-memory.dmp

Filesize
128KB

Download
memory/3864-340-0x0000017B17390000-0x0000017B173B0000-memory.dmp

Filesize
128KB

Download
memory/4084-241-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/4356-332-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/4652-85-0x000001BE40D20000-0x000001BE40D40000-memory.dmp

Filesize
128KB

Download
memory/4652-88-0x000001BE41130000-0x000001BE41150000-memory.dmp

Filesize
128KB

Download
memory/4652-84-0x000001BE40D60000-0x000001BE40D80000-memory.dmp

Filesize
128KB

Download
memory/4688-274-0x00000181D6840000-0x00000181D6860000-memory.dmp

Filesize
128KB

Download
memory/4688-272-0x00000181D6430000-0x00000181D6450000-memory.dmp

Filesize
128KB

Download
memory/4688-270-0x00000181D6470000-0x00000181D6490000-memory.dmp

Filesize
128KB

Download
memory/4696-356-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4716-285-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/4804-254-0x000001C0A4900000-0x000001C0A4920000-memory.dmp

Filesize
128KB

Download
memory/4804-251-0x000001C0A42F0000-0x000001C0A4310000-memory.dmp

Filesize
128KB

Download
memory/4804-249-0x000001C0A4330000-0x000001C0A4350000-memory.dmp

Filesize
128KB

Download
memory/5000-217-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads