Analysis

  • max time kernel
    47s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2024, 03:56

General

  • Target

    Bedwarmer.ps1

  • Size

    58KB

  • MD5

    aae5fcb1e66470ef7a08ea335b80ac05

  • SHA1

    9422c0898c87a134c72c6ffa35c594d93dba9dc9

  • SHA256

    8bd9205c7c8f112ff5cba1307842eddccc18e20e227cccb7b74e6a24e686b8b0

  • SHA512

    031d187a47a9b687d6822f34e74029f2f1cf4eb8687dc2846a3d84efbf9d30d5459870842a22cdab89130915501e2593f79b2a32da5c266d382120e0a042b072

  • SSDEEP

    1536:kIA6tvaB6ot7AWRT/HFQzHYDLaKzxxkRq:kIltiBhzlQELaKzjD

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 7 IoCs
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Bedwarmer.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:3956
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1356
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4344
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3764
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4296
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3236
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4632
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2296
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:5088
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3524
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:2084
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2088
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2012
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:3764
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3040
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3728
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      PID:5004
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:4480
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:4516
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:1464
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:972
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:2348
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:3512
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:564
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4728
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:2088
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:4996
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:2816
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:1984
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:4884
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:1216
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:2416
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:1988
                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                      1⤵
                                        PID:4776
                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:3384
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:1528
                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                            1⤵
                                              PID:1716
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:3772
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:4804
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:4812
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:3116
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:4820
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                          PID:4208
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:4504
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:2224
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:2504
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:2128
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:4744
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:4016
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                      1⤵
                                                                        PID:1020
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:2732
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                          1⤵
                                                                            PID:948
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:2224
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:1996
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                1⤵
                                                                                  PID:4616
                                                                                • C:\Windows\explorer.exe
                                                                                  explorer.exe
                                                                                  1⤵
                                                                                    PID:1716
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                    1⤵
                                                                                      PID:2856
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:4452
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:3116
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:3032
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:4208
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                              1⤵
                                                                                                PID:3040
                                                                                              • C:\Windows\explorer.exe
                                                                                                explorer.exe
                                                                                                1⤵
                                                                                                  PID:1580
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                  1⤵
                                                                                                    PID:2608
                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                    1⤵
                                                                                                      PID:3664
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      explorer.exe
                                                                                                      1⤵
                                                                                                        PID:4160
                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                        1⤵
                                                                                                          PID:3888
                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                          1⤵
                                                                                                            PID:4236

                                                                                                          Network

                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads

                                                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                            Filesize

                                                                                                            471B

                                                                                                            MD5

                                                                                                            6475b19cdf10d6f0ccf27ebf0fe76309

                                                                                                            SHA1

                                                                                                            6c3ca7a137c2b3041cdb22c994bba356e33f93c4

                                                                                                            SHA256

                                                                                                            635f833910db4e0915ecfe0d515341d4feec384dd83d6309f71f336c838a75d1

                                                                                                            SHA512

                                                                                                            9f695eae05fd9bc6f775cd2e8ec1a235976d82bf8b206449b0595e97afd335b31e79706b281b920e08de6d90a05a7e8b777f6d15bdbf815e61bf96e19542f4ce

                                                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                            Filesize

                                                                                                            412B

                                                                                                            MD5

                                                                                                            016aff91345fb607c0fc1fa4c9fab74f

                                                                                                            SHA1

                                                                                                            ab6d4f4c17cda205c229574e211d6172d5d8bd65

                                                                                                            SHA256

                                                                                                            290a9faac75c312c42b5ceabe5b77406ce1fe53639368e4de44f0d04d52edafe

                                                                                                            SHA512

                                                                                                            74b81783925e1f39100ac7e7c6c1a2de4c255c99852c9f4191353d12c1172faa82d63a7c0b87028a4833ad3ebcc9a3969c740377bc820ddbcf5f8ed1dd538f09

                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

                                                                                                            Filesize

                                                                                                            22KB

                                                                                                            MD5

                                                                                                            5328d2cbc3ee1f604d2b26cdb63e9f51

                                                                                                            SHA1

                                                                                                            022874fae13e994cc9032ab59eadc84e4bd89fb9

                                                                                                            SHA256

                                                                                                            3b16b13178298cb551162bf6a2c09728fd9b8aca0fb193bd47a4267efacc4782

                                                                                                            SHA512

                                                                                                            0fd883bd6a7f86ceb75159145bf4bf94d814e2ae34a328a3e4b3af602185095451e66454b8a5e181ae95c1dfbcadbc75e709a62f0d213ffea212efd5f68c9f7f

                                                                                                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\KERIKBO1\microsoft.windows[1].xml

                                                                                                            Filesize

                                                                                                            96B

                                                                                                            MD5

                                                                                                            974f0adc8b3b7f482be95139c92926e0

                                                                                                            SHA1

                                                                                                            635f5f7b6f1dda58dd4926f1600dce90652da52a

                                                                                                            SHA256

                                                                                                            fc71f9b009579b4f8c03f646fca98084ed6133d4f2acc4103ea39c366518c771

                                                                                                            SHA512

                                                                                                            27b57eec2e4da0c23cb6f7e173ac831a039c3c8a76dec063c8b23c2e1d90f2d52dc5916044a1cf09fd235439d28919d31e0eef3870374e682d1f07daac9960b2

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ginfcn4f.uvw.ps1

                                                                                                            Filesize

                                                                                                            60B

                                                                                                            MD5

                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                            SHA1

                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                            SHA256

                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                            SHA512

                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                          • memory/1020-319-0x000001D02FF40000-0x000001D02FF60000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/1020-323-0x000001D030310000-0x000001D030330000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/1020-321-0x000001D02FF00000-0x000001D02FF20000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/1464-126-0x0000000004330000-0x0000000004331000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/1528-219-0x0000000003020000-0x0000000003021000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/1580-383-0x0000000004790000-0x0000000004791000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/1988-198-0x0000000003F10000-0x0000000003F11000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2012-61-0x000001D312E40000-0x000001D312E60000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2012-57-0x000001D312A70000-0x000001D312A90000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2012-59-0x000001D312A30000-0x000001D312A50000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2084-49-0x0000000004070000-0x0000000004071000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2128-298-0x0000025AC6370000-0x0000025AC6390000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2128-301-0x0000025AC6780000-0x0000025AC67A0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2128-296-0x0000025AC63B0000-0x0000025AC63D0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2224-289-0x0000000004750000-0x0000000004751000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2224-346-0x000002BB95070000-0x000002BB95090000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2224-344-0x000002BB94C60000-0x000002BB94C80000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2224-342-0x000002BB94CA0000-0x000002BB94CC0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2296-27-0x00000000025E0000-0x00000000025E1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2348-138-0x0000024BD32F0000-0x0000024BD3310000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2348-136-0x0000024BD2BE0000-0x0000024BD2C00000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2348-134-0x0000024BD2F20000-0x0000024BD2F40000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/2732-334-0x00000000046E0000-0x00000000046E1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/2816-173-0x00000000029C0000-0x00000000029C1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/3032-372-0x0000021824F80000-0x0000021824FA0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3032-369-0x0000021824B70000-0x0000021824B90000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3032-367-0x0000021824BB0000-0x0000021824BD0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3116-252-0x000001B9AE9C0000-0x000001B9AE9E0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3116-255-0x000001B9AEFE0000-0x000001B9AF000000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3116-250-0x000001B9AEA00000-0x000001B9AEA20000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3384-205-0x000001D572020000-0x000001D572040000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3384-207-0x000001D571DE0000-0x000001D571E00000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3384-210-0x000001D5723F0000-0x000001D572410000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3524-34-0x000001BDBBE70000-0x000001BDBBE90000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3524-36-0x000001BDBBE30000-0x000001BDBBE50000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3524-40-0x000001BDBC250000-0x000001BDBC270000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3664-391-0x000001C4691D0000-0x000001C4691F0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3664-394-0x000001C469190000-0x000001C4691B0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3664-397-0x000001C469610000-0x000001C469630000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3728-84-0x000001EEE8B00000-0x000001EEE8B20000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3728-82-0x000001EEE8700000-0x000001EEE8720000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3728-80-0x000001EEE8740000-0x000001EEE8760000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3764-72-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/3772-227-0x00000165F8EA0000-0x00000165F8EC0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3772-230-0x00000165F8E60000-0x00000165F8E80000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/3772-232-0x00000165F9270000-0x00000165F9290000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4076-12-0x000001ADC8530000-0x000001ADC8540000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/4076-10-0x00007FFB846D0000-0x00007FFB85191000-memory.dmp

                                                                                                            Filesize

                                                                                                            10.8MB

                                                                                                          • memory/4076-9-0x000001ADCA6B0000-0x000001ADCA6D2000-memory.dmp

                                                                                                            Filesize

                                                                                                            136KB

                                                                                                          • memory/4076-11-0x000001ADC8530000-0x000001ADC8540000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/4076-14-0x000001ADC8530000-0x000001ADC8540000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/4076-15-0x000001ADC8530000-0x000001ADC8540000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/4076-17-0x00007FFB846D0000-0x00007FFB85191000-memory.dmp

                                                                                                            Filesize

                                                                                                            10.8MB

                                                                                                          • memory/4076-16-0x000001ADCA730000-0x000001ADCA734000-memory.dmp

                                                                                                            Filesize

                                                                                                            16KB

                                                                                                          • memory/4452-359-0x0000000004600000-0x0000000004601000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/4504-275-0x00000255C5270000-0x00000255C5290000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4504-273-0x00000255C52B0000-0x00000255C52D0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4504-277-0x00000255C5880000-0x00000255C58A0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4516-111-0x000002118B280000-0x000002118B2A0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4516-113-0x000002118B240000-0x000002118B260000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4516-115-0x000002118B650000-0x000002118B670000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4728-150-0x00000000034B0000-0x00000000034B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/4744-311-0x0000000004780000-0x0000000004781000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/4804-243-0x0000000003E10000-0x0000000003E11000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/4820-265-0x0000000002E90000-0x0000000002E91000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/4884-186-0x0000020CB9F30000-0x0000020CB9F50000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4884-181-0x0000020CB9B60000-0x0000020CB9B80000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4884-183-0x0000020CB9B20000-0x0000020CB9B40000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4996-158-0x00000215370D0000-0x00000215370F0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4996-160-0x0000021537090000-0x00000215370B0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4996-162-0x00000215376A0000-0x00000215376C0000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/5004-103-0x0000000003400000-0x0000000003401000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB