6ccabcc6aba0484b3a1a023b218dc0f87a77a1f643e9886de3555dbdf3111fb5

Analysis

max time kernel
32s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2023 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ccabcc6aba0484b3a1a023b218dc0f87a77a1f643e9886de3555dbdf3111fb5.exe
Size

2.9MB
MD5

a6eb4c8e80d0aa9a82063446027dfb4a
SHA1

502c609fc5d32a0e61ce9753c35453d644555260
SHA256

6ccabcc6aba0484b3a1a023b218dc0f87a77a1f643e9886de3555dbdf3111fb5
SHA512

b5296b9871622ca269396e0cea66df0fad0d25fc8189cf762e77e5a825de3518e573b2b9003698a10ffcbc2310f7ee1a91e1c92843c9bb6e70a22e274d721190
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTl3kvl5872QvbEw:Q+8X9G3vP3AM6A72QbEw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 47 IoCs

pid	pid_target	Process	procid_target
1684	5060	WerFault.exe	86
1020	1300	WerFault.exe	95
2656	4608	WerFault.exe	104
3416	4008	WerFault.exe	102
1524	224	WerFault.exe	112
8	3208	WerFault.exe	110
1612	4864	WerFault.exe	121
3760	4608	WerFault.exe	118
368	1980	WerFault.exe	127
3008	2192	WerFault.exe	136
448	4008	WerFault.exe	134
432	4868	WerFault.exe	144
4836	3700	WerFault.exe	142
4744	3852	WerFault.exe	152
3208	4936	WerFault.exe	150
2684	3360	WerFault.exe	160
4852	1276	WerFault.exe	158
4808	3940	WerFault.exe	168
2928	3748	WerFault.exe	166
448	3240	WerFault.exe	177
4332	3884	WerFault.exe	175
412	5036	WerFault.exe	185
1372	4996	WerFault.exe	183
2164	808	WerFault.exe	191
1332	1336	WerFault.exe	198
664	3384	WerFault.exe	196
768	1300	WerFault.exe	204
1648	1612	WerFault.exe	211
3392	3652	WerFault.exe	209
4460	3840	WerFault.exe	219
4024	4364	WerFault.exe	217
4040	4780	WerFault.exe	227
652	4572	WerFault.exe	225
4184	2668	WerFault.exe	235
3364	3208	WerFault.exe	233
2812	3492	WerFault.exe	241
2920	4824	WerFault.exe	248
1512	4084	WerFault.exe	246
1288	1396	WerFault.exe	256
5056	620	WerFault.exe	254
3700	3396	WerFault.exe	264
4068	1532	WerFault.exe	262
1624	3092	WerFault.exe	270
3240	5016	WerFault.exe	277
3608	3356	WerFault.exe	275
2748	2056	WerFault.exe	285
3284	2896	WerFault.exe	283

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{BD128A4D-C74B-4878-8A1F-F9BC10F504E6}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	5060	explorer.exe
Token: SeCreatePagefilePrivilege	5060	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	1300	explorer.exe
Token: SeCreatePagefilePrivilege	1300	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
5060	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2884	StartMenuExperienceHost.exe
4112	StartMenuExperienceHost.exe
2748	StartMenuExperienceHost.exe
4608	explorer.exe
3360	SearchApp.exe
224	SearchApp.exe
4052	StartMenuExperienceHost.exe
4864	SearchApp.exe
4960	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\6ccabcc6aba0484b3a1a023b218dc0f87a77a1f643e9886de3555dbdf3111fb5.exe
"C:\Users\Admin\AppData\Local\Temp\6ccabcc6aba0484b3a1a023b218dc0f87a77a1f643e9886de3555dbdf3111fb5.exe"
1⤵
PID:2888

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5060 -s 6256
  2⤵
  - Program crash
  PID:1684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 5060 -ip 5060
1⤵
PID:456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1300
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1300 -s 5964
  2⤵
  - Program crash
  PID:1020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1300 -ip 1300
1⤵
PID:3424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4008 -s 5920
  2⤵
  - Program crash
  PID:3416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4608 -s 3992
  2⤵
  - Program crash
  PID:2656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4608 -ip 4608
1⤵
PID:4612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4008 -ip 4008
1⤵
PID:1568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3208 -s 5940
  2⤵
  - Program crash
  PID:8

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3360

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 224 -s 3592
  2⤵
  - Program crash
  PID:1524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 224 -ip 224
1⤵
PID:1612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3208 -ip 3208
1⤵
PID:3368

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4608 -s 7276
  2⤵
  - Program crash
  PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4864 -s 3600
  2⤵
  - Program crash
  PID:1612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4864 -ip 4864
1⤵
PID:2844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4608 -ip 4608
1⤵
PID:4680

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:1980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1980 -s 6048
  2⤵
  - Program crash
  PID:368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1980 -ip 1980
1⤵
PID:4024

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4008 -s 7352
  2⤵
  - Program crash
  PID:448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2192 -s 3588
  2⤵
  - Program crash
  PID:3008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2192 -ip 2192
1⤵
PID:4272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4008 -ip 4008
1⤵
PID:2160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3700 -s 3372
  2⤵
  - Program crash
  PID:4836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4868
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4868 -s 3544
  2⤵
  - Program crash
  PID:432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4868 -ip 4868
1⤵
PID:4744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3700 -ip 3700
1⤵
PID:3312

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4936
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4936 -s 7388
  2⤵
  - Program crash
  PID:3208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3852
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3852 -s 3584
  2⤵
  - Program crash
  PID:4744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3852 -ip 3852
1⤵
PID:1568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4936 -ip 4936
1⤵
PID:3952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1276 -s 5908
  2⤵
  - Program crash
  PID:4852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3360 -s 3552
  2⤵
  - Program crash
  PID:2684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3360 -ip 3360
1⤵
PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 1276 -ip 1276
1⤵
PID:5012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3748
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3748 -s 7460
  2⤵
  - Program crash
  PID:2928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3940
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3940 -s 3632
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3940 -ip 3940
1⤵
PID:1568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3748 -ip 3748
1⤵
PID:4180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3884 -s 5992
  2⤵
  - Program crash
  PID:4332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3240 -s 3504
  2⤵
  - Program crash
  PID:448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3240 -ip 3240
1⤵
PID:2688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3884 -ip 3884
1⤵
PID:2440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4996 -s 3520
  2⤵
  - Program crash
  PID:1372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4980

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5036 -s 3568
  2⤵
  - Program crash
  PID:412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 5036 -ip 5036
1⤵
PID:3164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4996 -ip 4996
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 808 -s 5844
  2⤵
  - Program crash
  PID:2164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 808 -ip 808
1⤵
PID:4944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3384 -s 7300
  2⤵
  - Program crash
  PID:664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1336
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1336 -s 3580
  2⤵
  - Program crash
  PID:1332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1336 -ip 1336
1⤵
PID:1732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3384 -ip 3384
1⤵
PID:2548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1300
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1300 -s 5944
  2⤵
  - Program crash
  PID:768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 1300 -ip 1300
1⤵
PID:1976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3652 -s 6104
  2⤵
  - Program crash
  PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1612 -s 3608
  2⤵
  - Program crash
  PID:1648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 1612 -ip 1612
1⤵
PID:4536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3652 -ip 3652
1⤵
PID:4264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4364
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4364 -s 7272
  2⤵
  - Program crash
  PID:4024

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3840 -s 2696
  2⤵
  - Program crash
  PID:4460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3840 -ip 3840
1⤵
PID:1180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4364 -ip 4364
1⤵
PID:2672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4572
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4572 -s 7464
  2⤵
  - Program crash
  PID:652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4780
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4780 -s 3592
  2⤵
  - Program crash
  PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4780 -ip 4780
1⤵
PID:4796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4572 -ip 4572
1⤵
PID:1156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3208 -s 4156
  2⤵
  - Program crash
  PID:3364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2668
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2668 -s 3568
  2⤵
  - Program crash
  PID:4184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 2668 -ip 2668
1⤵
PID:396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3208 -ip 3208
1⤵
PID:432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3492 -s 5776
  2⤵
  - Program crash
  PID:2812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3492 -ip 3492
1⤵
PID:636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4084 -s 6028
  2⤵
  - Program crash
  PID:1512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4824 -s 2388
  2⤵
  - Program crash
  PID:2920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4824 -ip 4824
1⤵
PID:3008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4084 -ip 4084
1⤵
PID:404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 620 -s 7384
  2⤵
  - Program crash
  PID:5056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1396 -s 3608
  2⤵
  - Program crash
  PID:1288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 1396 -ip 1396
1⤵
PID:3208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 620 -ip 620
1⤵
PID:4552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1532 -s 7540
  2⤵
  - Program crash
  PID:4068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3396 -s 3760
  2⤵
  - Program crash
  PID:3700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3396 -ip 3396
1⤵
PID:3340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1532 -ip 1532
1⤵
PID:4288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3092 -s 5792
  2⤵
  - Program crash
  PID:1624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3092 -ip 3092
1⤵
PID:1332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3356 -s 5972
  2⤵
  - Program crash
  PID:3608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5016
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5016 -s 3560
  2⤵
  - Program crash
  PID:3240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 5016 -ip 5016
1⤵
PID:1472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3356 -ip 3356
1⤵
PID:3508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2896 -s 3812
  2⤵
  - Program crash
  PID:3284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2056 -s 3612
  2⤵
  - Program crash
  PID:2748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 2056 -ip 2056
1⤵
PID:1308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2896 -ip 2896
1⤵
PID:4168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4188

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
55b54ec631500ac8345b4fe65b933cd7

SHA1
443f0e75a709e94b7f962f7257ab700cf0970675

SHA256
add338c3176b99772b6e9daec0259fcc5d4a5a23bc60dfd062f99f199a5ebef9

SHA512
79d4045bb0afb67302b9676d09433945923c73529289507ac1699e6d7b55212667a6279f4e672dbba2c19edb7f3c43b9bb0292bda7e66b24300184fa7654c384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
7fb236c0cb9b8060fda8dfc6c1a37793

SHA1
6f788d4b5deac19afa935f27787267ac8b6a1ceb

SHA256
6106f1ad9372ebf36873dc57e19ed4d9fe518b4282ee00d1d3e9bfb93e9d66e6

SHA512
d7bd73e3d9fc238c032602784c435f44c51d82e760be7cffd79d53f5a81e3f3866a27e50ecf8a5addcaee56ba5f70299e62718711922011272b116f090b904ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
memory/224-38-0x0000019BB84B0000-0x0000019BB84D0000-memory.dmp

Filesize
128KB

Download
memory/224-40-0x0000019BB8470000-0x0000019BB8490000-memory.dmp

Filesize
128KB

Download
memory/224-42-0x0000019BB8880000-0x0000019BB88A0000-memory.dmp

Filesize
128KB

Download
memory/1276-143-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1336-246-0x00000119038A0000-0x00000119038C0000-memory.dmp

Filesize
128KB

Download
memory/1336-243-0x0000011903290000-0x00000119032B0000-memory.dmp

Filesize
128KB

Download
memory/1336-241-0x00000119032D0000-0x00000119032F0000-memory.dmp

Filesize
128KB

Download
memory/1612-267-0x0000014FFF9B0000-0x0000014FFF9D0000-memory.dmp

Filesize
128KB

Download
memory/1612-269-0x0000014FFFFC0000-0x0000014FFFFE0000-memory.dmp

Filesize
128KB

Download
memory/1612-265-0x0000014FFFC00000-0x0000014FFFC20000-memory.dmp

Filesize
128KB

Download
memory/2192-85-0x0000021E4D350000-0x0000021E4D370000-memory.dmp

Filesize
128KB

Download
memory/2192-87-0x0000021E4D760000-0x0000021E4D780000-memory.dmp

Filesize
128KB

Download
memory/2192-82-0x0000021E4D390000-0x0000021E4D3B0000-memory.dmp

Filesize
128KB

Download
memory/2668-336-0x000002F1832A0000-0x000002F1832C0000-memory.dmp

Filesize
128KB

Download
memory/2668-334-0x000002F1832E0000-0x000002F183300000-memory.dmp

Filesize
128KB

Download
memory/2668-338-0x000002F1838C0000-0x000002F1838E0000-memory.dmp

Filesize
128KB

Download
memory/3208-326-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3208-30-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/3240-197-0x000002B322E60000-0x000002B322E80000-memory.dmp

Filesize
128KB

Download
memory/3240-200-0x000002B322E20000-0x000002B322E40000-memory.dmp

Filesize
128KB

Download
memory/3240-202-0x000002B323220000-0x000002B323240000-memory.dmp

Filesize
128KB

Download
memory/3360-151-0x0000026DE57E0000-0x0000026DE5800000-memory.dmp

Filesize
128KB

Download
memory/3360-155-0x0000026DE5EB0000-0x0000026DE5ED0000-memory.dmp

Filesize
128KB

Download
memory/3360-153-0x0000026DE57A0000-0x0000026DE57C0000-memory.dmp

Filesize
128KB

Download
memory/3384-233-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3652-257-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/3700-98-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/3748-166-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3840-288-0x00000281052D0000-0x00000281052F0000-memory.dmp

Filesize
128KB

Download
memory/3840-291-0x0000028105290000-0x00000281052B0000-memory.dmp

Filesize
128KB

Download
memory/3840-295-0x00000281058A0000-0x00000281058C0000-memory.dmp

Filesize
128KB

Download
memory/3852-133-0x00000181503C0000-0x00000181503E0000-memory.dmp

Filesize
128KB

Download
memory/3852-128-0x0000018150000000-0x0000018150020000-memory.dmp

Filesize
128KB

Download
memory/3852-130-0x000001814FDB0000-0x000001814FDD0000-memory.dmp

Filesize
128KB

Download
memory/3884-190-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3940-179-0x0000022A5C3E0000-0x0000022A5C400000-memory.dmp

Filesize
128KB

Download
memory/3940-176-0x0000022A5BDD0000-0x0000022A5BDF0000-memory.dmp

Filesize
128KB

Download
memory/3940-174-0x0000022A5C020000-0x0000022A5C040000-memory.dmp

Filesize
128KB

Download
memory/4008-8-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/4008-74-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4084-350-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4364-280-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/4572-303-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/4608-20-0x000001F8D4130000-0x000001F8D4150000-memory.dmp

Filesize
128KB

Download
memory/4608-15-0x000001F8D3D60000-0x000001F8D3D80000-memory.dmp

Filesize
128KB

Download
memory/4608-17-0x000001F8D3D20000-0x000001F8D3D40000-memory.dmp

Filesize
128KB

Download
memory/4608-54-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/4780-311-0x000001A887A40000-0x000001A887A60000-memory.dmp

Filesize
128KB

Download
memory/4780-313-0x000001A887A00000-0x000001A887A20000-memory.dmp

Filesize
128KB

Download
memory/4780-315-0x000001A887E10000-0x000001A887E30000-memory.dmp

Filesize
128KB

Download
memory/4824-363-0x000001450CEB0000-0x000001450CED0000-memory.dmp

Filesize
128KB

Download
memory/4824-360-0x000001450CAA0000-0x000001450CAC0000-memory.dmp

Filesize
128KB

Download
memory/4824-358-0x000001450CAE0000-0x000001450CB00000-memory.dmp

Filesize
128KB

Download
memory/4864-61-0x0000021CA4920000-0x0000021CA4940000-memory.dmp

Filesize
128KB

Download
memory/4864-64-0x0000021CA45E0000-0x0000021CA4600000-memory.dmp

Filesize
128KB

Download
memory/4864-66-0x0000021CA4CF0000-0x0000021CA4D10000-memory.dmp

Filesize
128KB

Download
memory/4868-105-0x000002AF51FB0000-0x000002AF51FD0000-memory.dmp

Filesize
128KB

Download
memory/4868-110-0x000002AF52380000-0x000002AF523A0000-memory.dmp

Filesize
128KB

Download
memory/4868-107-0x000002AF51F70000-0x000002AF51F90000-memory.dmp

Filesize
128KB

Download
memory/4936-120-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4996-209-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/5036-219-0x0000027622A20000-0x0000027622A40000-memory.dmp

Filesize
128KB

Download
memory/5036-221-0x0000027622E20000-0x0000027622E40000-memory.dmp

Filesize
128KB

Download
memory/5036-217-0x0000027622A60000-0x0000027622A80000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads