Analysis

  • max time kernel
    74s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 12:31

General

  • Target

    Regretable/Prferencetolden/Alluder152/Brinie29.ps1

  • Size

    57KB

  • MD5

    606f3c0d77738574d051cf2f7140aafd

  • SHA1

    becf7fe1fe0af569c52c94abadc970cca66ec0a6

  • SHA256

    5bb0a1909d79ecf1060382416cd6df278b2be9af709e3b072ca983d62f9b4861

  • SHA512

    8bcd585c03b3e8a145a17da6c00e3423d6f0e00f8ca3c34959c49867f651371dd993478ef81e098a1cd8c8d9890c7d1c62ae0488f095b39d4f96278664b340e8

  • SSDEEP

    768:4wErrM7A/9QKnpZ2H0ZjGtEbT59AILrUuh1tOBt33K2LCgPFKGft1Csv2EzbnQdx:4/nR2UIEn0Mw4fOBJJDgsBbnQdRWLJSB

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 15 IoCs
  • Enumerates connected drives 3 TTPs 30 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Regretable\Prferencetolden\Alluder152\Brinie29.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:2308
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3036
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4452
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1044
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:316
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4292
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Suspicious use of SendNotifyMessage
      PID:3044
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3640
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1276
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:4868
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4260
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3624
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:3848
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4184
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3196
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4500
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1180
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3728
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      PID:3800
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2760
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3196
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4696
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4604
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:976
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:528
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4316
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4216
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:3052
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4824
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4108
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2476
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2032
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3788
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1276
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:312
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2404
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2760
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1704
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3572
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2936
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3688
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2756
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      PID:4324
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:212
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:4000
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:464
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:3276
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:3868
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:4276
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:4068
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:4004
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:4564
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3340
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:1652
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:3440
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:2068
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                  PID:2104
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:5076
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:3760
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:60
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:4052
                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                          1⤵
                                            PID:2068
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:3576
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              1⤵
                                                PID:4964
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                  PID:2800
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:4160
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:4336
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:1524
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:4296
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:5044
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:800
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:1412
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:4348
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:3932
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:3160
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                      1⤵
                                                                        PID:1640
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:5020
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                          1⤵
                                                                            PID:3616
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:1096
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:4360
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                1⤵
                                                                                  PID:2408
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                  1⤵
                                                                                    PID:4664
                                                                                  • C:\Windows\explorer.exe
                                                                                    explorer.exe
                                                                                    1⤵
                                                                                      PID:4144
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                      1⤵
                                                                                        PID:1044
                                                                                      • C:\Windows\explorer.exe
                                                                                        explorer.exe
                                                                                        1⤵
                                                                                          PID:1868

                                                                                        Network

                                                                                              MITRE ATT&CK Enterprise v15

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                Filesize

                                                                                                471B

                                                                                                MD5

                                                                                                da26794ff771dc3d9e896bc1873b3f4a

                                                                                                SHA1

                                                                                                21f4258056030c93a9fc2ee772e3dfc0fc4f8d92

                                                                                                SHA256

                                                                                                c9990a0c6e3161572ff16108a6c32652061402a6e3385fdd68f8a729d572f742

                                                                                                SHA512

                                                                                                998d322982dc9b197b6291440c0abd14522010fda2e6b2213636ea1435d27534db630e4275dcc043ddafb6bcb3ba4db481aad12246f75c951de69f0889e26ef6

                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                Filesize

                                                                                                412B

                                                                                                MD5

                                                                                                f55348ae9e470252db878895d37bb6c5

                                                                                                SHA1

                                                                                                7974bb81e9be64bea44d3b9bd648508c41229e4a

                                                                                                SHA256

                                                                                                886efef2b675bbcca0977ac3be8e8594b521829fd1afbf94c621ee5374066160

                                                                                                SHA512

                                                                                                f5791dea7c09c4cb956a02dbf4f87b0860b64a80566c39cc659e7dd5fca842574f0eb500b63e20cfc060d5c4b5c94e1a145213d8d766ad7c638d6c500b4f44ab

                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                                                                Filesize

                                                                                                2KB

                                                                                                MD5

                                                                                                6ad29dce041a6f8ff6ece6ff4084f6e0

                                                                                                SHA1

                                                                                                290319cd8e0200d8544196d4e89686a4210fb374

                                                                                                SHA256

                                                                                                2b75ee78959000483f4592db888a1de7747897a097e809babc5293139a576837

                                                                                                SHA512

                                                                                                5a8a430acb90d000e36ab8968f966fc5832c8d5fb033cce352c6d2f5dac6f8f33eebc048a2a4c5037e232685b65d5243a405977c70695e11e6ee23d86dd18c09

                                                                                              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\39XIXV5T\microsoft.windows[1].xml

                                                                                                Filesize

                                                                                                96B

                                                                                                MD5

                                                                                                29e3c94dfa03b794f03e17d8b45295d9

                                                                                                SHA1

                                                                                                1a598a72d3d486f77e861f98abcd2f4a8e936365

                                                                                                SHA256

                                                                                                7ff0263086f28cc1d842d07a23128b955780d3c8b85b130228c7f65ce2b4262a

                                                                                                SHA512

                                                                                                e2180d73f45da32ac4fb355546103496d73cdf7cb966c60f6a414bc7052e46431177e9009bdfd730d2fe6955b986392720fe3bdc8afbc0388f1b70e438a4ef9c

                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jinrvsca.tys.ps1

                                                                                                Filesize

                                                                                                60B

                                                                                                MD5

                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                SHA1

                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                SHA256

                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                SHA512

                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                              • memory/464-338-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/528-177-0x00000000041D0000-0x00000000041D1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/976-165-0x00000210A4C20000-0x00000210A4C40000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/976-164-0x00000210A4820000-0x00000210A4840000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/976-162-0x00000210A4860000-0x00000210A4880000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/1044-27-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1276-55-0x000002BB91470000-0x000002BB91490000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/1276-53-0x000002BB914B0000-0x000002BB914D0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/1276-246-0x00000000044F0000-0x00000000044F1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1276-57-0x000002BB91A80000-0x000002BB91AA0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/2280-13-0x0000016631DC0000-0x0000016631DD0000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/2280-14-0x0000016631DC0000-0x0000016631DD0000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/2280-17-0x0000016631F50000-0x0000016631F54000-memory.dmp

                                                                                                Filesize

                                                                                                16KB

                                                                                              • memory/2280-0-0x0000016631D70000-0x0000016631D92000-memory.dmp

                                                                                                Filesize

                                                                                                136KB

                                                                                              • memory/2280-11-0x0000016631DC0000-0x0000016631DD0000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/2280-16-0x0000016631DC0000-0x0000016631DD0000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/2280-12-0x0000016631DC0000-0x0000016631DD0000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/2280-10-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                              • memory/2280-18-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                              • memory/2404-258-0x000002C2AD420000-0x000002C2AD440000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/2404-254-0x000002C2AD060000-0x000002C2AD080000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/2404-256-0x000002C2AD020000-0x000002C2AD040000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/2476-223-0x0000000004560000-0x0000000004561000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2756-301-0x00000132F5E20000-0x00000132F5E40000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/2756-303-0x00000132F6230000-0x00000132F6250000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/2756-299-0x00000132F5E60000-0x00000132F5E80000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/2760-269-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2936-292-0x0000000003110000-0x0000000003111000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3044-46-0x00000000029D0000-0x00000000029D1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3052-200-0x00000000044E0000-0x00000000044E1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3196-141-0x0000014C65620000-0x0000014C65640000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3196-143-0x0000014C65A20000-0x0000014C65A40000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3196-100-0x0000021E894A0000-0x0000021E894C0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3196-139-0x0000014C65660000-0x0000014C65680000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3196-96-0x0000021E88ED0000-0x0000021E88EF0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3196-98-0x0000021E88E90000-0x0000021E88EB0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3572-279-0x0000024A83290000-0x0000024A832B0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3572-281-0x0000024A838A0000-0x0000024A838C0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3572-277-0x0000024A832D0000-0x0000024A832F0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3624-76-0x000002A9243E0000-0x000002A924400000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3624-78-0x000002A9243A0000-0x000002A9243C0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3624-80-0x000002A9247B0000-0x000002A9247D0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3728-123-0x000002C8C1680000-0x000002C8C16A0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3728-119-0x000002C8C10B0000-0x000002C8C10D0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3728-121-0x000002C8C1070000-0x000002C8C1090000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3788-233-0x00000257A5790000-0x00000257A57B0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3788-235-0x00000257A5BA0000-0x00000257A5BC0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3788-231-0x00000257A57D0000-0x00000257A57F0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3800-131-0x0000000003070000-0x0000000003071000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3848-89-0x00000000041F0000-0x00000000041F1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3868-350-0x0000011E4F510000-0x0000011E4F530000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3868-348-0x0000011E4F100000-0x0000011E4F120000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/3868-346-0x0000011E4F140000-0x0000011E4F160000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4000-326-0x000002275C950000-0x000002275C970000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4000-324-0x000002275C540000-0x000002275C560000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4000-322-0x000002275C580000-0x000002275C5A0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4004-371-0x000001B400A20000-0x000001B400A40000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4004-369-0x000001B400A60000-0x000001B400A80000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4004-373-0x000001B400E30000-0x000001B400E50000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4108-208-0x000002684C0B0000-0x000002684C0D0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4108-210-0x000002684C070000-0x000002684C090000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4108-212-0x000002684C680000-0x000002684C6A0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4216-187-0x0000023E9E990000-0x0000023E9E9B0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4216-190-0x0000023E9EDA0000-0x0000023E9EDC0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4216-185-0x0000023E9E9D0000-0x0000023E9E9F0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4276-362-0x00000000032A0000-0x00000000032A1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4292-35-0x0000017A5A860000-0x0000017A5A880000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4292-33-0x0000017A5A8A0000-0x0000017A5A8C0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4292-37-0x0000017A5AE80000-0x0000017A5AEA0000-memory.dmp

                                                                                                Filesize

                                                                                                128KB

                                                                                              • memory/4324-315-0x0000000004690000-0x0000000004691000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4500-111-0x0000000002A60000-0x0000000002A61000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4696-154-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4868-68-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB