a633cf75940ad479827b1c917893e81548e84e3c3307badeaf5a594e81fa8f22

Analysis

max time kernel
24s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a633cf75940ad479827b1c917893e81548e84e3c3307badeaf5a594e81fa8f22.exe
Size

3.5MB
MD5

7ee13e13c6ec5681c7d759420ae21d7e
SHA1

3257773fd29389325f91eaaee49de329da961edf
SHA256

a633cf75940ad479827b1c917893e81548e84e3c3307badeaf5a594e81fa8f22
SHA512

d9d61719583e8ae09014e5a236b68fa0e9153e64bc37b91f5edffbbae7334e28d59fbcf6b46c68825a81a499d117cd9e9d698553d56bf039808bc010f4c67900
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlj9S15Xwa+sZgVsB6GJaL:Q+8X9G3vP3AMPS15XesKVqUL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 49 IoCs

pid	pid_target	Process	procid_target
2900	4000	WerFault.exe	86
4572	3064	WerFault.exe	95
3316	4696	WerFault.exe	104
1860	3236	WerFault.exe	102
3064	4612	WerFault.exe	110
2052	4004	WerFault.exe	115
4136	4560	WerFault.exe	122
2408	1616	WerFault.exe	120
4708	3660	WerFault.exe	128
4024	3364	WerFault.exe	134
3060	224	WerFault.exe	141
4436	4684	WerFault.exe	139
1680	2164	WerFault.exe	147
3568	3456	WerFault.exe	154
1488	2984	WerFault.exe	152
4708	3660	WerFault.exe	162
5076	4184	WerFault.exe	160
4260	4128	WerFault.exe	170
3320	2504	WerFault.exe	168
3376	3236	WerFault.exe	176
4472	2020	WerFault.exe	183
2508	4452	WerFault.exe	181
2252	4208	WerFault.exe	189
4140	2428	WerFault.exe	196
1576	3608	WerFault.exe	194
2392	840	WerFault.exe	204
2428	5024	WerFault.exe	202
548	952	WerFault.exe	210
4940	2348	WerFault.exe	217
4036	4240	WerFault.exe	215
4048	4896	WerFault.exe	223
1176	3392	WerFault.exe	230
4456	2108	WerFault.exe	228
3020	2896	WerFault.exe	238
3884	4664	WerFault.exe	236
4240	3396	WerFault.exe	246
3060	1928	WerFault.exe	244
3700	3732	WerFault.exe	252
3320	4788	WerFault.exe	257
3352	3328	WerFault.exe	264
2144	5016	WerFault.exe	262
3408	2312	WerFault.exe	270
2816	3700	WerFault.exe	276
4372	548	WerFault.exe	275
1652	1160	WerFault.exe	283
672	3712	WerFault.exe	290
4320	3372	WerFault.exe	288
3732	4896	WerFault.exe	298
8	2360	WerFault.exe	296

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{24ADDFE2-AB9F-40A4-96B3-1292BF970C0F}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{2848B321-3756-4C83-BB1B-026527E91F97}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{900E0642-DDE4-4A15-8B57-1045501321F9}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{A97C4264-22A3-4EBA-8534-6FC2E9ED3A2B}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{29BBBC80-88A4-4B28-A474-B571B73C2FC2}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	4000	explorer.exe
Token: SeCreatePagefilePrivilege	4000	explorer.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3064	WerFault.exe
Token: SeCreatePagefilePrivilege	3064	WerFault.exe
Token: SeShutdownPrivilege	3236	explorer.exe
Token: SeCreatePagefilePrivilege	3236	explorer.exe
Token: SeShutdownPrivilege	3236	explorer.exe
Token: SeCreatePagefilePrivilege	3236	explorer.exe
Token: SeShutdownPrivilege	3236	explorer.exe
Token: SeCreatePagefilePrivilege	3236	explorer.exe
Token: SeShutdownPrivilege	3236	explorer.exe
Token: SeCreatePagefilePrivilege	3236	explorer.exe
Token: SeShutdownPrivilege	3236	explorer.exe
Token: SeCreatePagefilePrivilege	3236	explorer.exe
Token: SeShutdownPrivilege	3236	explorer.exe
Token: SeCreatePagefilePrivilege	3236	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3064	WerFault.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
3236	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4004	explorer.exe
4004	explorer.exe
4004	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2976	StartMenuExperienceHost.exe
3268	StartMenuExperienceHost.exe
1396	StartMenuExperienceHost.exe
4696	SearchApp.exe
2732	Process not Found
3196	WerFault.exe
2564	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\a633cf75940ad479827b1c917893e81548e84e3c3307badeaf5a594e81fa8f22.exe
"C:\Users\Admin\AppData\Local\Temp\a633cf75940ad479827b1c917893e81548e84e3c3307badeaf5a594e81fa8f22.exe"
1⤵
PID:556

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4000 -s 6020
  2⤵
  - Program crash
  PID:2900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4000 -ip 4000
1⤵
PID:1820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3064 -s 5928
  2⤵
  - Program crash
  PID:4572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3064 -ip 3064
1⤵
PID:3256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3236 -s 3636
  2⤵
  - Program crash
  PID:1860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4696 -s 3652
  2⤵
  - Program crash
  PID:3316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 4696 -ip 4696
1⤵
PID:4628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3236 -ip 3236
1⤵
PID:4352

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4612 -s 4468
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Program crash
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4612 -ip 4612
1⤵
PID:4584

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4004 -s 5196
  2⤵
  - Program crash
  PID:2052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4004 -ip 4004
1⤵
PID:2948

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:1616
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1616 -s 7452
  2⤵
  - Program crash
  PID:2408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4560 -s 3564
  2⤵
  - Program crash
  PID:4136

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4560 -ip 4560
1⤵
PID:4988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1616 -ip 1616
1⤵
PID:4316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3660 -s 6056
  2⤵
  - Program crash
  PID:4708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3660 -ip 3660
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3364
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3364 -s 5716
  2⤵
  - Program crash
  PID:4024

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3364 -ip 3364
1⤵
PID:3332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4684
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4684 -s 7456
  2⤵
  - Program crash
  PID:4436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 224 -s 3592
  2⤵
  - Program crash
  PID:3060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 224 -ip 224
1⤵
PID:2296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4684 -ip 4684
1⤵
PID:1728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2164 -s 5984
  2⤵
  - Program crash
  PID:1680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 2164 -ip 2164
1⤵
PID:380

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2984 -s 5996
  2⤵
  - Program crash
  PID:1488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3456 -s 3564
  2⤵
  - Program crash
  PID:3568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3456 -ip 3456
1⤵
PID:3616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2984 -ip 2984
1⤵
PID:2596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4184 -s 7616
  2⤵
  - Program crash
  PID:5076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3660 -s 948
  2⤵
  - Program crash
  PID:4708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3660 -ip 3660
1⤵
PID:1844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4184 -ip 4184
1⤵
PID:3168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2504 -s 5956
  2⤵
  - Program crash
  PID:3320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4128
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4128 -s 3600
  2⤵
  - Program crash
  PID:4260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4128 -ip 4128
1⤵
PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 2504 -ip 2504
1⤵
PID:3660

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3236 -s 5996
  2⤵
  - Program crash
  PID:3376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3236 -ip 3236
1⤵
PID:2500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4452
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4452 -s 4972
  2⤵
  - Program crash
  PID:2508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2020 -s 3624
  2⤵
  - Program crash
  PID:4472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2020 -ip 2020
1⤵
PID:4668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 4452 -ip 4452
1⤵
PID:1140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4208 -s 5932
  2⤵
  - Program crash
  PID:2252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 4208 -ip 4208
1⤵
PID:3288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3608 -s 7344
  2⤵
  - Program crash
  PID:1576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2428 -s 3548
  2⤵
  - Program crash
  PID:4140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2428 -ip 2428
1⤵
PID:5016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3608 -ip 3608
1⤵
PID:4552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5024 -s 5824
  2⤵
  - Program crash
  PID:2428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 840 -s 3508
  2⤵
  - Program crash
  PID:2392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 840 -ip 840
1⤵
PID:4532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 5024 -ip 5024
1⤵
PID:3832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 952 -s 6004
  2⤵
  - Program crash
  PID:548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 952 -ip 952
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4240 -s 5896
  2⤵
  - Program crash
  PID:4036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2348
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2348 -s 3584
  2⤵
  - Program crash
  PID:4940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2348 -ip 2348
1⤵
PID:4492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4240 -ip 4240
1⤵
PID:4000

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4896 -s 5960
  2⤵
  - Program crash
  PID:4048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 676 -p 4896 -ip 4896
1⤵
PID:2680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2108 -s 6016
  2⤵
  - Program crash
  PID:4456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3392 -s 3596
  2⤵
  - Program crash
  PID:1176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3392 -ip 3392
1⤵
PID:3832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2108 -ip 2108
1⤵
PID:332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4664 -s 7316
  2⤵
  - Program crash
  PID:3884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2896 -s 3596
  2⤵
  - Program crash
  PID:3020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2896 -ip 2896
1⤵
PID:4892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 4664 -ip 4664
1⤵
PID:2792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1928 -s 7412
  2⤵
  - Program crash
  PID:3060

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4604

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3396 -s 3572
  2⤵
  - Program crash
  PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 724 -p 3396 -ip 3396
1⤵
PID:4024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 1928 -ip 1928
1⤵
PID:464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3732 -s 6132
  2⤵
  - Program crash
  PID:3700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 3732 -ip 3732
1⤵
PID:680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4788 -s 5724
  2⤵
  - Program crash
  PID:3320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 4788 -ip 4788
1⤵
PID:4724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5016
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5016 -s 7024
  2⤵
  - Program crash
  PID:2144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3328 -s 3564
  2⤵
  - Program crash
  PID:3352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 716 -p 3328 -ip 3328
1⤵
PID:1940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 696 -p 5016 -ip 5016
1⤵
PID:2204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2312 -s 6012
  2⤵
  - Program crash
  PID:3408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 724 -p 2312 -ip 2312
1⤵
PID:4252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 548 -s 1140
  2⤵
  - Program crash
  PID:4372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3700 -s 3888
  2⤵
  - Program crash
  PID:2816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 3700 -ip 3700
1⤵
PID:3640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 548 -ip 548
1⤵
PID:4140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1160 -s 5916
  2⤵
  - Program crash
  PID:1652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1160 -ip 1160
1⤵
PID:3080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3372
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3372 -s 7400
  2⤵
  - Program crash
  PID:4320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3712 -s 3560
  2⤵
  - Program crash
  PID:672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3712 -ip 3712
1⤵
PID:1092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 3372 -ip 3372
1⤵
PID:4748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2360 -s 7376
  2⤵
  - Program crash
  PID:8

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4896 -s 2400
  2⤵
  - Program crash
  PID:3732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4896 -ip 4896
1⤵
PID:1952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 2360 -ip 2360
1⤵
PID:3268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
55b54ec631500ac8345b4fe65b933cd7

SHA1
443f0e75a709e94b7f962f7257ab700cf0970675

SHA256
add338c3176b99772b6e9daec0259fcc5d4a5a23bc60dfd062f99f199a5ebef9

SHA512
79d4045bb0afb67302b9676d09433945923c73529289507ac1699e6d7b55212667a6279f4e672dbba2c19edb7f3c43b9bb0292bda7e66b24300184fa7654c384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
bd6fe71ede38a026dd98427ec1ac276c

SHA1
e29d66672b24874c7b22f08ced67d0b95a6c9f3d

SHA256
c5c57f9a1a917f07dc43225637c7d2f3b117364d4bd0753908f6b55e10c601e1

SHA512
946aaee63d9c397b27b796f79e27d13ee47dad7e35d19fbe787ce509727d4e604d9aebc4ca786452613a2cfed364ad9ebac804c9a74b321a065f261be96f5abe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
memory/224-69-0x000001E610A60000-0x000001E610A80000-memory.dmp

Filesize
128KB

Download
memory/224-67-0x000001E610650000-0x000001E610670000-memory.dmp

Filesize
128KB

Download
memory/224-65-0x000001E610690000-0x000001E6106B0000-memory.dmp

Filesize
128KB

Download
memory/548-332-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/840-202-0x0000020D3F0C0000-0x0000020D3F0E0000-memory.dmp

Filesize
128KB

Download
memory/840-200-0x0000020D3E9B0000-0x0000020D3E9D0000-memory.dmp

Filesize
128KB

Download
memory/840-198-0x0000020D3ED00000-0x0000020D3ED20000-memory.dmp

Filesize
128KB

Download
memory/1616-33-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/1928-284-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2020-156-0x000001F0BC450000-0x000001F0BC470000-memory.dmp

Filesize
128KB

Download
memory/2020-154-0x000001F0BC490000-0x000001F0BC4B0000-memory.dmp

Filesize
128KB

Download
memory/2020-158-0x000001F0BC860000-0x000001F0BC880000-memory.dmp

Filesize
128KB

Download
memory/2108-238-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2348-222-0x000001E50CA60000-0x000001E50CA80000-memory.dmp

Filesize
128KB

Download
memory/2348-224-0x000001E50CA20000-0x000001E50CA40000-memory.dmp

Filesize
128KB

Download
memory/2348-227-0x000001E50CE20000-0x000001E50CE40000-memory.dmp

Filesize
128KB

Download
memory/2428-180-0x000001EA3A6A0000-0x000001EA3A6C0000-memory.dmp

Filesize
128KB

Download
memory/2428-178-0x000001EA3A6E0000-0x000001EA3A700000-memory.dmp

Filesize
128KB

Download
memory/2428-182-0x000001EA3ACC0000-0x000001EA3ACE0000-memory.dmp

Filesize
128KB

Download
memory/2504-124-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2896-269-0x0000017C78800000-0x0000017C78820000-memory.dmp

Filesize
128KB

Download
memory/2896-271-0x0000017C785C0000-0x0000017C785E0000-memory.dmp

Filesize
128KB

Download
memory/2896-273-0x0000017C78BD0000-0x0000017C78BF0000-memory.dmp

Filesize
128KB

Download
memory/2984-81-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/3236-8-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/3328-320-0x00000216E8E50000-0x00000216E8E70000-memory.dmp

Filesize
128KB

Download
memory/3328-318-0x00000216E8A40000-0x00000216E8A60000-memory.dmp

Filesize
128KB

Download
memory/3328-316-0x00000216E8A80000-0x00000216E8AA0000-memory.dmp

Filesize
128KB

Download
memory/3372-359-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/3392-250-0x000001CB63E90000-0x000001CB63EB0000-memory.dmp

Filesize
128KB

Download
memory/3392-248-0x000001CB63A80000-0x000001CB63AA0000-memory.dmp

Filesize
128KB

Download
memory/3392-246-0x000001CB63AC0000-0x000001CB63AE0000-memory.dmp

Filesize
128KB

Download
memory/3396-292-0x0000021E58C80000-0x0000021E58CA0000-memory.dmp

Filesize
128KB

Download
memory/3396-299-0x0000021E59050000-0x0000021E59070000-memory.dmp

Filesize
128KB

Download
memory/3396-295-0x0000021E58C40000-0x0000021E58C60000-memory.dmp

Filesize
128KB

Download
memory/3456-89-0x000001DE86B60000-0x000001DE86B80000-memory.dmp

Filesize
128KB

Download
memory/3456-93-0x000001DE86F20000-0x000001DE86F40000-memory.dmp

Filesize
128KB

Download
memory/3456-91-0x000001DE86B20000-0x000001DE86B40000-memory.dmp

Filesize
128KB

Download
memory/3608-170-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3660-115-0x000002C2C89B0000-0x000002C2C89D0000-memory.dmp

Filesize
128KB

Download
memory/3660-118-0x000002C2C90C0000-0x000002C2C90E0000-memory.dmp

Filesize
128KB

Download
memory/3660-112-0x000002C2C8D00000-0x000002C2C8D20000-memory.dmp

Filesize
128KB

Download
memory/3700-344-0x000001A00F6A0000-0x000001A00F6C0000-memory.dmp

Filesize
128KB

Download
memory/3700-339-0x000001A00F2D0000-0x000001A00F2F0000-memory.dmp

Filesize
128KB

Download
memory/3700-341-0x000001A00F290000-0x000001A00F2B0000-memory.dmp

Filesize
128KB

Download
memory/3712-366-0x0000017FDDDB0000-0x0000017FDDDD0000-memory.dmp

Filesize
128KB

Download
memory/3712-370-0x0000017FDE180000-0x0000017FDE1A0000-memory.dmp

Filesize
128KB

Download
memory/3712-368-0x0000017FDDD70000-0x0000017FDDD90000-memory.dmp

Filesize
128KB

Download
memory/4128-130-0x0000018DC4240000-0x0000018DC4260000-memory.dmp

Filesize
128KB

Download
memory/4128-132-0x0000018DC4200000-0x0000018DC4220000-memory.dmp

Filesize
128KB

Download
memory/4128-134-0x0000018DC4600000-0x0000018DC4620000-memory.dmp

Filesize
128KB

Download
memory/4184-104-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/4240-214-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/4452-146-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4560-40-0x0000013163660000-0x0000013163680000-memory.dmp

Filesize
128KB

Download
memory/4560-46-0x0000013163A30000-0x0000013163A50000-memory.dmp

Filesize
128KB

Download
memory/4560-43-0x0000013163620000-0x0000013163640000-memory.dmp

Filesize
128KB

Download
memory/4664-261-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4684-58-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/4696-15-0x0000029E8E7A0000-0x0000029E8E7C0000-memory.dmp

Filesize
128KB

Download
memory/4696-17-0x0000029E8E760000-0x0000029E8E780000-memory.dmp

Filesize
128KB

Download
memory/4696-19-0x0000029E8EB70000-0x0000029E8EB90000-memory.dmp

Filesize
128KB

Download
memory/5016-308-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/5024-190-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads