40c0043ce18949abdfe9e5f74990b629fb6179195240196047c4fba44e60ed7f

Analysis

max time kernel
22s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40c0043ce18949abdfe9e5f74990b629fb6179195240196047c4fba44e60ed7f.exe
Size

2.9MB
MD5

70d68dffa8231271a8b5f6c8ba684b3f
SHA1

0781376d108c707cb47d7d691e6a9ce198931c86
SHA256

40c0043ce18949abdfe9e5f74990b629fb6179195240196047c4fba44e60ed7f
SHA512

e249f977035bee8d3bf97396f321a28c37986b28fc39cfe329da84f84b86af3c9c4ee01480bf33461f37460ff19f777c0ee72896133fb0e34f98f0e8963a179f
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlziqCNkNpioNeia:Q+8X9G3vP3AM1nCNGpBNc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 49 IoCs

pid	pid_target	Process	procid_target
4684	3000	WerFault.exe	86
3328	1976	WerFault.exe	94
4600	4428	WerFault.exe	103
2780	3428	WerFault.exe	101
3000	668	WerFault.exe	110
2872	2780	WerFault.exe	117
3980	1416	WerFault.exe	115
3468	5112	WerFault.exe	125
1228	3612	WerFault.exe	123
3288	3892	WerFault.exe	132
404	3028	WerFault.exe	139
4256	3236	WerFault.exe	137
3732	3640	WerFault.exe	147
3524	3848	WerFault.exe	145
4596	2928	WerFault.exe	155
4756	3256	WerFault.exe	153
4836	4744	WerFault.exe	161
372	2680	WerFault.exe	168
4416	4036	WerFault.exe	166
3288	2784	WerFault.exe	176
3980	3744	WerFault.exe	174
3376	3612	WerFault.exe	182
3960	3968	WerFault.exe	189
3896	3620	WerFault.exe	187
4408	928	WerFault.exe	197
1044	3140	WerFault.exe	195
4740	372	WerFault.exe	205
3216	448	WerFault.exe	203
4820	4560	WerFault.exe	213
4344	4908	WerFault.exe	211
3392	4804	WerFault.exe	221
4936	4828	WerFault.exe	219
228	4056	WerFault.exe	229
1668	1560	WerFault.exe	227
3516	3092	WerFault.exe	237
404	3820	WerFault.exe	235
1796	3304	WerFault.exe	243
1060	1696	WerFault.exe	250
4468	3864	WerFault.exe	248
1848	3300	WerFault.exe	258
1492	3228	WerFault.exe	256
180	1608	WerFault.exe	264
2968	1972	WerFault.exe	269
4456	2108	WerFault.exe	270
3744	2012	WerFault.exe	275
4912	1692	WerFault.exe	284
3272	4320	WerFault.exe	282
4732	3024	WerFault.exe	292
3288	228	WerFault.exe	290

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{71CC311B-6397-48D6-8C3E-23980C75A27F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{2E4F36AB-731C-4650-9751-EF707ED05AEC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{B4027ACB-9F41-49B5-96A3-ABD8C3A4D2EE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{2ACCF871-DCA4-44E9-98B6-75F5587D7FD3}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	WerFault.exe
Token: SeCreatePagefilePrivilege	3000	WerFault.exe
Token: SeShutdownPrivilege	3000	WerFault.exe
Token: SeCreatePagefilePrivilege	3000	WerFault.exe
Token: SeShutdownPrivilege	3000	WerFault.exe
Token: SeCreatePagefilePrivilege	3000	WerFault.exe
Token: SeShutdownPrivilege	3000	WerFault.exe
Token: SeCreatePagefilePrivilege	3000	WerFault.exe
Token: SeShutdownPrivilege	3000	WerFault.exe
Token: SeCreatePagefilePrivilege	3000	WerFault.exe
Token: SeShutdownPrivilege	3000	WerFault.exe
Token: SeCreatePagefilePrivilege	3000	WerFault.exe
Token: SeShutdownPrivilege	3000	WerFault.exe
Token: SeCreatePagefilePrivilege	3000	WerFault.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeCreatePagefilePrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe
Token: SeShutdownPrivilege	3428	explorer.exe
Token: SeCreatePagefilePrivilege	3428	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	WerFault.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	explorer.exe
3428	WerFault.exe
3428	WerFault.exe
3428	WerFault.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1492	StartMenuExperienceHost.exe
4036	explorer.exe
4728	StartMenuExperienceHost.exe
4428	SearchApp.exe
4036	explorer.exe
4088	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\40c0043ce18949abdfe9e5f74990b629fb6179195240196047c4fba44e60ed7f.exe
"C:\Users\Admin\AppData\Local\Temp\40c0043ce18949abdfe9e5f74990b629fb6179195240196047c4fba44e60ed7f.exe"
1⤵
PID:4572

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3000 -s 6152
  2⤵
  - Program crash
  PID:4684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3000 -ip 3000
1⤵
PID:2924

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1976
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1976 -s 6036
  2⤵
  - Program crash
  PID:3328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1976 -ip 1976
1⤵
PID:3532

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3428 -s 5792
  2⤵
  - Program crash
  PID:2780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4428 -s 3796
  2⤵
  - Program crash
  PID:4600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4428 -ip 4428
1⤵
PID:404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3428 -ip 3428
1⤵
PID:384

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:668
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 668 -s 6024
  2⤵
  - Program crash
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 668 -ip 668
1⤵
PID:1796

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1416 -s 5940
  2⤵
  - Program crash
  PID:3980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2780
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2780 -s 3584
  2⤵
  - Program crash
  PID:2872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2780 -ip 2780
1⤵
PID:708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 1416 -ip 1416
1⤵
PID:3960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3612 -s 5616
  2⤵
  - Program crash
  PID:1228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5112 -s 3616
  2⤵
  - Program crash
  PID:3468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 5112 -ip 5112
1⤵
PID:708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3612 -ip 3612
1⤵
PID:4208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3892 -s 5984
  2⤵
  - Program crash
  PID:3288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3892 -ip 3892
1⤵
PID:3488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3236 -s 5984
  2⤵
  - Program crash
  PID:4256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3028 -s 3568
  2⤵
  - Program crash
  PID:404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3028 -ip 3028
1⤵
PID:1092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3236 -ip 3236
1⤵
PID:4528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3848 -s 5876
  2⤵
  - Program crash
  PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3640 -s 3600
  2⤵
  - Program crash
  PID:3732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3640 -ip 3640
1⤵
PID:2264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3848 -ip 3848
1⤵
PID:2396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3256
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3256 -s 7500
  2⤵
  - Program crash
  PID:4756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2928 -s 2572
  2⤵
  - Program crash
  PID:4596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2928 -ip 2928
1⤵
PID:664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3256 -ip 3256
1⤵
PID:5116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4744 -s 5848
  2⤵
  - Program crash
  PID:4836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 4744 -ip 4744
1⤵
PID:2460

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4036 -s 7472
  2⤵
  - Program crash
  PID:4416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2680 -s 3576
  2⤵
  - Program crash
  PID:372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2680 -ip 2680
1⤵
PID:3620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4036 -ip 4036
1⤵
PID:504

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3744 -s 3524
  2⤵
  - Program crash
  PID:3980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2784
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2784 -s 3544
  2⤵
  - Program crash
  PID:3288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2784 -ip 2784
1⤵
PID:4888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3744 -ip 3744
1⤵
PID:528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3612 -s 5936
  2⤵
  - Program crash
  PID:3376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3612 -ip 3612
1⤵
PID:3896

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3620 -s 5768
  2⤵
  - Program crash
  PID:3896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3968 -s 3604
  2⤵
  - Program crash
  PID:3960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3968 -ip 3968
1⤵
PID:3280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3620 -ip 3620
1⤵
PID:4588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3140
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3140 -s 5908
  2⤵
  - Program crash
  PID:1044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 928 -s 3584
  2⤵
  - Program crash
  PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 928 -ip 928
1⤵
PID:4484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3140 -ip 3140
1⤵
PID:5108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 448 -s 7232
  2⤵
  - Program crash
  PID:3216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:372
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 372 -s 3620
  2⤵
  - Program crash
  PID:4740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 372 -ip 372
1⤵
PID:2256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 448 -ip 448
1⤵
PID:1260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4908
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4908 -s 3408
  2⤵
  - Program crash
  PID:4344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4560 -s 3532
  2⤵
  - Program crash
  PID:4820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4560 -ip 4560
1⤵
PID:1696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 4908 -ip 4908
1⤵
PID:3532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4828
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4828 -s 7416
  2⤵
  - Program crash
  PID:4936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4804
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4804 -s 3588
  2⤵
  - Program crash
  PID:3392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4804 -ip 4804
1⤵
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4828 -ip 4828
1⤵
PID:3404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1560 -s 7456
  2⤵
  - Program crash
  PID:1668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4056 -s 3608
  2⤵
  - Program crash
  PID:228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4056 -ip 4056
1⤵
PID:3884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1560 -ip 1560
1⤵
PID:1592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3820 -s 7460
  2⤵
  - Program crash
  PID:404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3092 -s 3512
  2⤵
  - Program crash
  PID:3516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3092 -ip 3092
1⤵
PID:1828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3820 -ip 3820
1⤵
PID:620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 6000
  2⤵
  - Program crash
  PID:1796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3304 -ip 3304
1⤵
PID:4072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3864 -s 6156
  2⤵
  - Program crash
  PID:4468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1696 -s 3608
  2⤵
  - Program crash
  PID:1060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1696 -ip 1696
1⤵
PID:3652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3864 -ip 3864
1⤵
PID:3960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3228 -s 7400
  2⤵
  - Program crash
  PID:1492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3300
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3300 -s 3580
  2⤵
  - Program crash
  PID:1848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3300 -ip 3300
1⤵
PID:676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3228 -ip 3228
1⤵
PID:3884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1608 -s 4660
  2⤵
  - Program crash
  PID:180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 1608 -ip 1608
1⤵
PID:3504

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1972 -s 5960
  2⤵
  - Program crash
  PID:2968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2108 -s 4024
  2⤵
  - Program crash
  PID:4456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1972 -ip 1972
1⤵
PID:448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2012
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2012 -s 4344
  2⤵
  - Program crash
  PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 2108 -ip 2108
1⤵
PID:1448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2012 -ip 2012
1⤵
PID:664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4320
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4320 -s 7352
  2⤵
  - Program crash
  PID:3272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1692 -s 3568
  2⤵
  - Program crash
  PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 1692 -ip 1692
1⤵
PID:2372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4320 -ip 4320
1⤵
PID:1812

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 228 -s 7460
  2⤵
  - Program crash
  PID:3288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3024 -s 3588
  2⤵
  - Program crash
  PID:4732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3024 -ip 3024
1⤵
PID:4308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 228 -ip 228
1⤵
PID:4644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
55b54ec631500ac8345b4fe65b933cd7

SHA1
443f0e75a709e94b7f962f7257ab700cf0970675

SHA256
add338c3176b99772b6e9daec0259fcc5d4a5a23bc60dfd062f99f199a5ebef9

SHA512
79d4045bb0afb67302b9676d09433945923c73529289507ac1699e6d7b55212667a6279f4e672dbba2c19edb7f3c43b9bb0292bda7e66b24300184fa7654c384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
e59800a377f1bccc6a6206d32abf2842

SHA1
299a1767098502433e05cd40a1f16d1b3312e976

SHA256
58dd20e1fa17bb25e2b096945373243b05c265c5e58e4d249024aa6fd3fddce3

SHA512
eef209930bab0dfb9ee02f826adc633a3c45917f48b22d6b605134518d093b878884c63333a74361801d142fded847af3fa62e84651e620c21f82db512045f31

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
memory/372-249-0x000001D396CC0000-0x000001D396CE0000-memory.dmp

Filesize
128KB

Download
memory/372-253-0x000001D3972A0000-0x000001D3972C0000-memory.dmp

Filesize
128KB

Download
memory/372-251-0x000001D396C80000-0x000001D396CA0000-memory.dmp

Filesize
128KB

Download
memory/448-241-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/928-226-0x0000013D8EBD0000-0x0000013D8EBF0000-memory.dmp

Filesize
128KB

Download
memory/928-232-0x0000013D8EFA0000-0x0000013D8EFC0000-memory.dmp

Filesize
128KB

Download
memory/928-229-0x0000013D8EB90000-0x0000013D8EBB0000-memory.dmp

Filesize
128KB

Download
memory/1416-32-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1560-310-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/1696-365-0x000002990ADD0000-0x000002990ADF0000-memory.dmp

Filesize
128KB

Download
memory/1696-367-0x000002990AD90000-0x000002990ADB0000-memory.dmp

Filesize
128KB

Download
memory/1696-370-0x000002990B1A0000-0x000002990B1C0000-memory.dmp

Filesize
128KB

Download
memory/2680-156-0x000001A7EE060000-0x000001A7EE080000-memory.dmp

Filesize
128KB

Download
memory/2680-162-0x000001A7EE430000-0x000001A7EE450000-memory.dmp

Filesize
128KB

Download
memory/2680-158-0x000001A7EE020000-0x000001A7EE040000-memory.dmp

Filesize
128KB

Download
memory/2780-44-0x000001C2F8250000-0x000001C2F8270000-memory.dmp

Filesize
128KB

Download
memory/2780-42-0x000001C2F7E40000-0x000001C2F7E60000-memory.dmp

Filesize
128KB

Download
memory/2780-39-0x000001C2F7E80000-0x000001C2F7EA0000-memory.dmp

Filesize
128KB

Download
memory/2784-179-0x00000180999E0000-0x0000018099A00000-memory.dmp

Filesize
128KB

Download
memory/2784-182-0x00000180999A0000-0x00000180999C0000-memory.dmp

Filesize
128KB

Download
memory/2784-185-0x0000018099FB0000-0x0000018099FD0000-memory.dmp

Filesize
128KB

Download
memory/2928-136-0x000001D6E8B50000-0x000001D6E8B70000-memory.dmp

Filesize
128KB

Download
memory/2928-134-0x000001D6E8740000-0x000001D6E8760000-memory.dmp

Filesize
128KB

Download
memory/2928-132-0x000001D6E8780000-0x000001D6E87A0000-memory.dmp

Filesize
128KB

Download
memory/3028-88-0x0000028FB24C0000-0x0000028FB24E0000-memory.dmp

Filesize
128KB

Download
memory/3028-90-0x0000028FB2AE0000-0x0000028FB2B00000-memory.dmp

Filesize
128KB

Download
memory/3028-86-0x0000028FB2500000-0x0000028FB2520000-memory.dmp

Filesize
128KB

Download
memory/3092-341-0x000001D5104E0000-0x000001D510500000-memory.dmp

Filesize
128KB

Download
memory/3092-344-0x000001D5104A0000-0x000001D5104C0000-memory.dmp

Filesize
128KB

Download
memory/3092-347-0x000001D510AC0000-0x000001D510AE0000-memory.dmp

Filesize
128KB

Download
memory/3140-218-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/3236-78-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/3256-124-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/3428-9-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3612-54-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/3620-195-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/3640-109-0x000001AE3AF20000-0x000001AE3AF40000-memory.dmp

Filesize
128KB

Download
memory/3640-111-0x000001AE3AEE0000-0x000001AE3AF00000-memory.dmp

Filesize
128KB

Download
memory/3640-113-0x000001AE3B500000-0x000001AE3B520000-memory.dmp

Filesize
128KB

Download
memory/3744-171-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3820-333-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3848-101-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/3864-357-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3968-203-0x000001DFB1AC0000-0x000001DFB1AE0000-memory.dmp

Filesize
128KB

Download
memory/3968-208-0x000001DFB20A0000-0x000001DFB20C0000-memory.dmp

Filesize
128KB

Download
memory/3968-205-0x000001DFB1A80000-0x000001DFB1AA0000-memory.dmp

Filesize
128KB

Download
memory/4036-148-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4056-323-0x0000017F809C0000-0x0000017F809E0000-memory.dmp

Filesize
128KB

Download
memory/4056-318-0x0000017F805F0000-0x0000017F80610000-memory.dmp

Filesize
128KB

Download
memory/4056-320-0x0000017F805B0000-0x0000017F805D0000-memory.dmp

Filesize
128KB

Download
memory/4428-15-0x0000025926140000-0x0000025926160000-memory.dmp

Filesize
128KB

Download
memory/4428-17-0x0000025926100000-0x0000025926120000-memory.dmp

Filesize
128KB

Download
memory/4428-20-0x0000025926500000-0x0000025926520000-memory.dmp

Filesize
128KB

Download
memory/4560-276-0x0000027221340000-0x0000027221360000-memory.dmp

Filesize
128KB

Download
memory/4560-272-0x0000027220F70000-0x0000027220F90000-memory.dmp

Filesize
128KB

Download
memory/4560-274-0x0000027220F30000-0x0000027220F50000-memory.dmp

Filesize
128KB

Download
memory/4804-300-0x00000240D7050000-0x00000240D7070000-memory.dmp

Filesize
128KB

Download
memory/4804-295-0x00000240D6C80000-0x00000240D6CA0000-memory.dmp

Filesize
128KB

Download
memory/4804-297-0x00000240D6C40000-0x00000240D6C60000-memory.dmp

Filesize
128KB

Download
memory/4828-287-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/4908-264-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/5112-62-0x000001DC32320000-0x000001DC32340000-memory.dmp

Filesize
128KB

Download
memory/5112-64-0x000001DC31FE0000-0x000001DC32000000-memory.dmp

Filesize
128KB

Download
memory/5112-66-0x000001DC326F0000-0x000001DC32710000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads