Resubmissions

22-02-2024 12:58

240222-p7qe4ahh87 10

22-02-2024 12:58

240222-p7hegshf4t 10

21-02-2024 14:52

240221-r83g6ahd51 10

21-02-2024 13:15

240221-qhgbkafg2t 10

19-02-2024 11:43

240219-nv2rxsdc55 10

18-02-2024 23:40

240218-3n9lhsff8w 10

Analysis

  • max time kernel
    39s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2024 14:52

General

  • Target

    253012a62bc1d805c8c0b1bbf936c6f0.exe

  • Size

    2.4MB

  • MD5

    253012a62bc1d805c8c0b1bbf936c6f0

  • SHA1

    33728ba8f5ad3a4f0e1a5d6890022c377c0c00f8

  • SHA256

    a25e2487bb4b638d6333d652db58532f3f29dd5ddb7711f70f52e0e61e8d3f51

  • SHA512

    06842aab184f35c855dbf450534f9de7d66bb5923d0119c3ada19a08dc9f5c2b287321c571cf8b4727927517c6dabe37130e7b9a6eed4892159112ab6e45f57f

  • SSDEEP

    24576:j+G047epooYKZYzX1HWvWKz4E+hhf4udB2mMmsZJlrA9yoiO2V0KcJx3UnpLco7r:B047epoC8cWKssZfM9m1AJxUFr

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 13 IoCs
  • Registers COM server for autorun 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 10 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\253012a62bc1d805c8c0b1bbf936c6f0.exe
    "C:\Users\Admin\AppData\Local\Temp\253012a62bc1d805c8c0b1bbf936c6f0.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:2884
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:4140
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:2976
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:4072
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4760
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1632
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3468
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    PID:4356
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4072
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4576
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    PID:4084
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:432
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4236
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3404
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4920
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:3708
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:4868
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:1248
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:2180
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:3212
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:3640
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4524
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:4688
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:5052
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:2124
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                            PID:3668
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:2944
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:3492
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:3984
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:1008
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:3608
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:4268
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:1356
                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                          1⤵
                                            PID:764
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:2260
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              1⤵
                                                PID:3528
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                  PID:5080
                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                    PID:4992
                                                  • C:\Windows\explorer.exe
                                                    explorer.exe
                                                    1⤵
                                                      PID:3768
                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                      1⤵
                                                        PID:4416
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                          PID:4164
                                                        • C:\Windows\explorer.exe
                                                          explorer.exe
                                                          1⤵
                                                            PID:4440
                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                            1⤵
                                                              PID:2164
                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                              1⤵
                                                                PID:1632
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:4144
                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                  1⤵
                                                                    PID:3560
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                      PID:3504
                                                                    • C:\Windows\explorer.exe
                                                                      explorer.exe
                                                                      1⤵
                                                                        PID:4768
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                        1⤵
                                                                          PID:4940
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                          1⤵
                                                                            PID:5028
                                                                          • C:\Windows\explorer.exe
                                                                            explorer.exe
                                                                            1⤵
                                                                              PID:4792
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                              1⤵
                                                                                PID:5052
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                1⤵
                                                                                  PID:2096
                                                                                • C:\Windows\explorer.exe
                                                                                  explorer.exe
                                                                                  1⤵
                                                                                    PID:2772
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                    1⤵
                                                                                      PID:4188
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                      1⤵
                                                                                        PID:684
                                                                                      • C:\Windows\explorer.exe
                                                                                        explorer.exe
                                                                                        1⤵
                                                                                          PID:4444
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                          1⤵
                                                                                            PID:3216
                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                            1⤵
                                                                                              PID:2184
                                                                                            • C:\Windows\explorer.exe
                                                                                              explorer.exe
                                                                                              1⤵
                                                                                                PID:1360
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                1⤵
                                                                                                  PID:4788
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                  1⤵
                                                                                                    PID:468
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    explorer.exe
                                                                                                    1⤵
                                                                                                      PID:3108
                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                      1⤵
                                                                                                        PID:1696
                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                        1⤵
                                                                                                          PID:4964
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          explorer.exe
                                                                                                          1⤵
                                                                                                            PID:3944
                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                            1⤵
                                                                                                              PID:1576
                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                              1⤵
                                                                                                                PID:3808
                                                                                                              • C:\Windows\explorer.exe
                                                                                                                explorer.exe
                                                                                                                1⤵
                                                                                                                  PID:4336
                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                  1⤵
                                                                                                                    PID:4296
                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                    1⤵
                                                                                                                      PID:2668
                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                      explorer.exe
                                                                                                                      1⤵
                                                                                                                        PID:3232
                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                        1⤵
                                                                                                                          PID:5116
                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                          1⤵
                                                                                                                            PID:4580

                                                                                                                          Network

                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                          Replay Monitor

                                                                                                                          Loading Replay Monitor...

                                                                                                                          Downloads

                                                                                                                          • C:\Program Files\ExplorerPatcher\WebView2Loader.dll

                                                                                                                            Filesize

                                                                                                                            136KB

                                                                                                                            MD5

                                                                                                                            c44baed957b05b9327bd371dbf0dbe99

                                                                                                                            SHA1

                                                                                                                            80b48c656b8555ebc588de3de0ec6c7e75ae4bf1

                                                                                                                            SHA256

                                                                                                                            ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef

                                                                                                                            SHA512

                                                                                                                            ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

                                                                                                                          • C:\Program Files\ExplorerPatcher\ep_gui.dll

                                                                                                                            Filesize

                                                                                                                            702KB

                                                                                                                            MD5

                                                                                                                            50fac6e71b1693c8601e5edfe2314c0c

                                                                                                                            SHA1

                                                                                                                            ffc45bf1c9a5b0f2ca59d5057335ae79c84306d4

                                                                                                                            SHA256

                                                                                                                            3c362868f6740606f86b38c5d492f714265ef67bb9b29f64882bdc4a5519621e

                                                                                                                            SHA512

                                                                                                                            800700b79f227131a76d32e4e8c4073e0906ffe28f1e4d67e7f964747280faf56eabb72bf1520f42abc1a28869d35c956eb094eaf4ce6ed96ab4d4d314ccf391

                                                                                                                          • C:\Program Files\ExplorerPatcher\ep_weather_host.dll

                                                                                                                            Filesize

                                                                                                                            238KB

                                                                                                                            MD5

                                                                                                                            74d2a253680034bfc1c8b24f3bd777ac

                                                                                                                            SHA1

                                                                                                                            1a00fb3b4628002149fe560a7e231f0bc4a6e97b

                                                                                                                            SHA256

                                                                                                                            52a99a4d45e8847decea13d49ef9aea5ebb629d6f810b6d529df344b9f632299

                                                                                                                            SHA512

                                                                                                                            f3351fb54790e01cf69b66c824a934d9beb8866140a97823d79c18400b8ece845ed71070c5ec2cb21c6f17560fb462794e66b4bc3354e79ef552094c22944063

                                                                                                                          • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

                                                                                                                            Filesize

                                                                                                                            109KB

                                                                                                                            MD5

                                                                                                                            578479c0c09270e357ca9a9320a2540a

                                                                                                                            SHA1

                                                                                                                            4e0fe7abb9b760004995e95103e28796e986cceb

                                                                                                                            SHA256

                                                                                                                            f5a33582ac070a90d214d26e70d05f72df1885a8626a837bbe6ff731cd22ed82

                                                                                                                            SHA512

                                                                                                                            d0ce12ea49e268bfd55c9d72a380ad7c5c23d406124cc917c0d745979f19ff7688fad7c094d118c1d9efdaf66cd66f17daea03e7eb122d24d8571a79620e9954

                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\02UVB9AJ\microsoft.windows[1].xml

                                                                                                                            Filesize

                                                                                                                            97B

                                                                                                                            MD5

                                                                                                                            83971812676cf95291ec7f877a86cc31

                                                                                                                            SHA1

                                                                                                                            6ba5026046b1fb0c3090ec64bcc1e64de02925f8

                                                                                                                            SHA256

                                                                                                                            973963be7824f2999e80230d035bb854b1437facf9e58f262e462f4ba438d5a3

                                                                                                                            SHA512

                                                                                                                            b2bc0be5e4e88c0eb332d364ba90aa54c2cc8d5bc221c22c248e204a58e8b8c60269f134fe427cda1ca013780fa3baffb09a0da34a850fe181f719fe466f0f3e

                                                                                                                          • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

                                                                                                                            Filesize

                                                                                                                            156KB

                                                                                                                            MD5

                                                                                                                            73cc85e90bb714568e7a236dbbc5e019

                                                                                                                            SHA1

                                                                                                                            095c7d7154e3d4d92da2c0a179aaa6530a4c171e

                                                                                                                            SHA256

                                                                                                                            cbb8e1b14488c5c58eee7971aa62fc7a101232968cec248040ada449a143b6ef

                                                                                                                            SHA512

                                                                                                                            05c207486640841e6de6beb55296a4e9ffccd38cded2e2b7e8ae24c28dfddecff3d3092741b7b380a23f4eeca4b1feb13c10768c73c9959ea76659c079c565e0

                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

                                                                                                                            Filesize

                                                                                                                            408KB

                                                                                                                            MD5

                                                                                                                            7dabbe00a40c3d97a948ff3e2f862e9f

                                                                                                                            SHA1

                                                                                                                            adf06073be04ecb4c9ea4d1a86d2b642001d91e0

                                                                                                                            SHA256

                                                                                                                            ffd98282744f1796997d1bc9d311b84c5903aa6e9edacdd2dec15ea5b032cf6a

                                                                                                                            SHA512

                                                                                                                            b9c8b76f87ed569ba75c517fd101096e87eabc51d4aaebe931378bd92fdc6b7ff37e430d26fd447d3d2cb3242323fd485b1ce12303010ab719de63ba2ccad466

                                                                                                                          • C:\Windows\dxgi.dll

                                                                                                                            Filesize

                                                                                                                            627KB

                                                                                                                            MD5

                                                                                                                            38fa7926c879b55635a697a6f49cb034

                                                                                                                            SHA1

                                                                                                                            539cfcee9654ed2a7b04236d3cd907224e1f6d87

                                                                                                                            SHA256

                                                                                                                            8c1c2a374dc65a688837c3fc1c689b66bc9c2cd57209e576084710aa00c44ea3

                                                                                                                            SHA512

                                                                                                                            5b8d9cc0e8ef425263aba02b1c539517c16d596ecd31f4c647bc4d6eea86211312527c92be486bb8f739ae114704467467e71dcf68ef2f10ae1909e185a494d4

                                                                                                                          • C:\Windows\dxgi.dll

                                                                                                                            Filesize

                                                                                                                            356KB

                                                                                                                            MD5

                                                                                                                            eb82137cb9dac7cba1838a2c86660e24

                                                                                                                            SHA1

                                                                                                                            4d4b1513a23e1b4a4ac0fe797ec07d6b49a51044

                                                                                                                            SHA256

                                                                                                                            f661d27642743e6e759ed7fd2571af207f34aefeea9b89f3e27e07ed39edcb87

                                                                                                                            SHA512

                                                                                                                            cf9c8baf2d37535d6b5315683dd48da86f78cee1e15971f7ddea825d317291227a11967d0eeec2f2ff7d9b2e75b1c5df1251620b35f579c55451b36f79c4aed2

                                                                                                                          • memory/3468-88-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-94-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-91-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-90-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-89-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-93-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-87-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-86-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-84-0x00007FFC57E60000-0x00007FFC58001000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.6MB

                                                                                                                          • memory/3468-92-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-85-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/3468-83-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/3468-82-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/3468-81-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/3468-79-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/3468-80-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/3468-78-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/3468-77-0x00007FFC58010000-0x00007FFC5874F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            7.2MB

                                                                                                                          • memory/3468-76-0x00007FFC58010000-0x00007FFC5874F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            7.2MB

                                                                                                                          • memory/4760-34-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-43-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-46-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-47-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-48-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-49-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-50-0x00007FFC42BE0000-0x00007FFC43206000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.1MB

                                                                                                                          • memory/4760-51-0x00007FFC42440000-0x00007FFC42A33000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            5.9MB

                                                                                                                          • memory/4760-53-0x00007FFC4EC10000-0x00007FFC4EC62000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            328KB

                                                                                                                          • memory/4760-52-0x00007FFC4EC10000-0x00007FFC4EC62000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            328KB

                                                                                                                          • memory/4760-54-0x00007FFC4EC10000-0x00007FFC4EC62000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            328KB

                                                                                                                          • memory/4760-56-0x00007FFC4EBC0000-0x00007FFC4EC06000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            280KB

                                                                                                                          • memory/4760-55-0x00007FFC4EC10000-0x00007FFC4EC62000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            328KB

                                                                                                                          • memory/4760-57-0x00007FFC40C60000-0x00007FFC40E79000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-58-0x00007FFC40C60000-0x00007FFC40E79000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-59-0x00007FFC4EB70000-0x00007FFC4EBC0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            320KB

                                                                                                                          • memory/4760-61-0x00007FFC4EB70000-0x00007FFC4EBC0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            320KB

                                                                                                                          • memory/4760-62-0x00007FFC4ED80000-0x00007FFC4EDBB000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            236KB

                                                                                                                          • memory/4760-65-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-66-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-44-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-42-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-74-0x0000000009D00000-0x000000000A172000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.4MB

                                                                                                                          • memory/4760-45-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-41-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-40-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-38-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-39-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-37-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-36-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-35-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-33-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-32-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-31-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-30-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-29-0x00007FF79E7B0000-0x00007FF79EC4D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                          • memory/4760-28-0x00007FFC57E60000-0x00007FFC58001000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.6MB

                                                                                                                          • memory/4760-27-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-26-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-25-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-24-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-23-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-22-0x00007FFC43350000-0x00007FFC43570000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.1MB

                                                                                                                          • memory/4760-21-0x00007FFC58010000-0x00007FFC5874F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            7.2MB

                                                                                                                          • memory/4760-20-0x00007FFC58010000-0x00007FFC5874F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            7.2MB