Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    52s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 22:04

General

  • Target

    14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe

  • Size

    256KB

  • MD5

    14085d347cd35d5d9a6480fc0f82cdc0

  • SHA1

    f03c871cb7971dce8f1740bf618f99e0394a028d

  • SHA256

    ab61e705c84f9b40dce7c345872c140e24bdebc5818a11470b788a7142b5de3c

  • SHA512

    8b23b02d19f2b598ddae417f9da800975c7a11cd54aab5a50054a8a6b51611bab68c784ad1c485e5441e2d49fad68d6092d825dc5a43f650f847f5898fbed4a8

  • SSDEEP

    6144:FDLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:1QCyQ1LHk+zR7QHjGo

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 11 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat
      2⤵
        PID:3988
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2936
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2196
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1688
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:376
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4132
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:516
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4452
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4916
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:376
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4300
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3920
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:392
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4064
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4856
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:916
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4924
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:884
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4312
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4708
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1144
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2148
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:660
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3524
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4388
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4724
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3348
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4968
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:4708
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3744
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:3452
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:4528
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:3308
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:1892
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:4104
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3496
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:628
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:660
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4940
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:4968
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:960
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                  PID:4336
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:3732
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:3752
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:3744
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:1280
                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                          1⤵
                                            PID:1752
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:832
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              1⤵
                                                PID:2280
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                  PID:2284
                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                    PID:2244
                                                  • C:\Windows\explorer.exe
                                                    explorer.exe
                                                    1⤵
                                                      PID:8
                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                      1⤵
                                                        PID:2672
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                          PID:3852
                                                        • C:\Windows\explorer.exe
                                                          explorer.exe
                                                          1⤵
                                                            PID:3016
                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                            1⤵
                                                              PID:2264
                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                              1⤵
                                                                PID:3904
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:2936
                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                  1⤵
                                                                    PID:1784
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                      PID:3516
                                                                    • C:\Windows\explorer.exe
                                                                      explorer.exe
                                                                      1⤵
                                                                        PID:3060
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                        1⤵
                                                                          PID:2420
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                          1⤵
                                                                            PID:3496
                                                                          • C:\Windows\explorer.exe
                                                                            explorer.exe
                                                                            1⤵
                                                                              PID:1304
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                              1⤵
                                                                                PID:3744
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                1⤵
                                                                                  PID:832
                                                                                • C:\Windows\explorer.exe
                                                                                  explorer.exe
                                                                                  1⤵
                                                                                    PID:3120
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                    1⤵
                                                                                      PID:3924
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                      1⤵
                                                                                        PID:1616
                                                                                      • C:\Windows\explorer.exe
                                                                                        explorer.exe
                                                                                        1⤵
                                                                                          PID:4036
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                          1⤵
                                                                                            PID:2204
                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                            1⤵
                                                                                              PID:1260
                                                                                            • C:\Windows\explorer.exe
                                                                                              explorer.exe
                                                                                              1⤵
                                                                                                PID:3660
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                1⤵
                                                                                                  PID:4320
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                  1⤵
                                                                                                    PID:3516
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    explorer.exe
                                                                                                    1⤵
                                                                                                      PID:448
                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                      1⤵
                                                                                                        PID:4088
                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                        1⤵
                                                                                                          PID:1040
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          explorer.exe
                                                                                                          1⤵
                                                                                                            PID:3440
                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                            1⤵
                                                                                                              PID:3740
                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                              1⤵
                                                                                                                PID:1664
                                                                                                              • C:\Windows\explorer.exe
                                                                                                                explorer.exe
                                                                                                                1⤵
                                                                                                                  PID:4696
                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                  1⤵
                                                                                                                    PID:1568
                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                    1⤵
                                                                                                                      PID:3492
                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                      explorer.exe
                                                                                                                      1⤵
                                                                                                                        PID:1872
                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                        1⤵
                                                                                                                          PID:2416
                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                          1⤵
                                                                                                                            PID:432

                                                                                                                          Network

                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                          Replay Monitor

                                                                                                                          Loading Replay Monitor...

                                                                                                                          Downloads

                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                                                                                            Filesize

                                                                                                                            2KB

                                                                                                                            MD5

                                                                                                                            31a4a2589317366cec625e72f4734069

                                                                                                                            SHA1

                                                                                                                            d53f71a42fdb62523d8d516f7f7186c60d9da0a3

                                                                                                                            SHA256

                                                                                                                            86b2cbb3bf7a496a4cdbe43dd8a3cbb1de5225ca727754cc90a115608f4b470b

                                                                                                                            SHA512

                                                                                                                            c283c78cb01908d23a3aabc313d70eb667b2f4c9974d5b8063028a2fdbb900983ca961846cfb21af8e7c927fc1c254a4d4019fe77780e168685d63db59f015c6

                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133598522742695316.txt

                                                                                                                            Filesize

                                                                                                                            75KB

                                                                                                                            MD5

                                                                                                                            ce88a108043a3d69e5325754ba9c7181

                                                                                                                            SHA1

                                                                                                                            c64f06b8081f5ec0ae7c0e1fe7b0f248aa6550c4

                                                                                                                            SHA256

                                                                                                                            b2552766ebb3469549cea5b6b609077fa6e38c000eba6befadfd275e11a8095e

                                                                                                                            SHA512

                                                                                                                            cb5e53fb1520b68178ad465cde801ed779521b843de44f894fc8fdbd071f33f663a60f570b134ff0996bf407ef9ecee72810b16dd9276469e6b0efb5d5c85829

                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xml

                                                                                                                            Filesize

                                                                                                                            97B

                                                                                                                            MD5

                                                                                                                            292a283bdecf4cd89c3ad863a28bc72f

                                                                                                                            SHA1

                                                                                                                            18e896fec5f8b3ea2963d0a5cb45a244050c35c1

                                                                                                                            SHA256

                                                                                                                            09794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2

                                                                                                                            SHA512

                                                                                                                            71349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa

                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\yyyy

                                                                                                                            Filesize

                                                                                                                            256KB

                                                                                                                            MD5

                                                                                                                            fb59817a842f734d11a655709a36bf22

                                                                                                                            SHA1

                                                                                                                            6b861ff4bce673bddbf78d124a3bdaffed525f7e

                                                                                                                            SHA256

                                                                                                                            2e23ec34113d559deb32d44fc418f07a1a3258a5e814f700f115f2685483439e

                                                                                                                            SHA512

                                                                                                                            fbae94f7e38462f629626bb2d592d0f79d5004a8fdbacff68808d124d50e961731a7cab01269680684029e1ef671c6809e1defec07ee2d0d12182b19c61a7446

                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\yyyy.bat

                                                                                                                            Filesize

                                                                                                                            337B

                                                                                                                            MD5

                                                                                                                            ec5ec017408677bcd4e09b8f76420dc8

                                                                                                                            SHA1

                                                                                                                            73c4a367d409744f8e205dd486f637e8f32ac0be

                                                                                                                            SHA256

                                                                                                                            f804df1d10eb132f588011c00e11122f399a0f5c73e9f061f617d733fb164f1b

                                                                                                                            SHA512

                                                                                                                            2b81cde5910afdf835bbfb28a711145227cb7ad3403c79bea7eecea3c385d42064fd50819339cfd9443e902e165b61e0bfbe177817b3e69fe13e44ef5848830c

                                                                                                                          • C:\Windows\System32\drivers\etc\hosts

                                                                                                                            Filesize

                                                                                                                            2KB

                                                                                                                            MD5

                                                                                                                            6f332dcaeeb548cceb98beb934ab3d55

                                                                                                                            SHA1

                                                                                                                            e48872682e514e95dcc14ff9bbdc6e0bef723fca

                                                                                                                            SHA256

                                                                                                                            7937ea22b6d3b09f8d41afef1371aaee906657aafce6678b0b449931a1a8c4c0

                                                                                                                            SHA512

                                                                                                                            e695693e246253fa969b57c20c4147009846d7848bc092c97aa830daf2f89e0c1a1850cb0c7e5715a95ebf19cdf58726eec3a9820f0b8820e495234ce22f2844

                                                                                                                          • memory/376-324-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/392-472-0x0000000004440000-0x0000000004441000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/516-178-0x0000000004720000-0x0000000004721000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/884-620-0x0000016F65520000-0x0000016F65620000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/884-635-0x0000016F66650000-0x0000016F66670000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/884-651-0x0000016F66A60000-0x0000016F66A80000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/884-624-0x0000016F66690000-0x0000016F666B0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/884-619-0x0000016F65520000-0x0000016F65620000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/916-618-0x00000000043B0000-0x00000000043B1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/1144-785-0x000002DA533A0000-0x000002DA533C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/1144-799-0x000002DA539B0000-0x000002DA539D0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/1144-769-0x000002D251500000-0x000002D251600000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/1144-773-0x000002DA533E0000-0x000002DA53400000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/1144-768-0x000002D251500000-0x000002D251600000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/1688-22-0x0000000004820000-0x0000000004821000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2148-914-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/3348-1087-0x00000209F7170000-0x00000209F7190000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3348-1075-0x00000209F6960000-0x00000209F6980000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3348-1062-0x00000209F69A0000-0x00000209F69C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3348-1057-0x00000209F5C40000-0x00000209F5D40000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/3524-921-0x000001D899E40000-0x000001D899E60000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3524-917-0x000001D898B00000-0x000001D898C00000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/3524-934-0x000001D899E00000-0x000001D899E20000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3524-916-0x000001D898B00000-0x000001D898C00000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/3524-953-0x000001D89A200000-0x000001D89A220000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3744-1209-0x000001E6F9F20000-0x000001E6FA020000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/3744-1222-0x000001E6FB040000-0x000001E6FB060000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3744-1213-0x000001E6FB080000-0x000001E6FB0A0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3744-1208-0x000001E6F9F20000-0x000001E6FA020000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/3920-341-0x0000021337F50000-0x0000021337F70000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3920-326-0x0000021337040000-0x0000021337140000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/3920-353-0x0000021338560000-0x0000021338580000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3920-331-0x0000021337F90000-0x0000021337FB0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/3920-327-0x0000021337040000-0x0000021337140000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/4132-48-0x000001AD57C50000-0x000001AD57C70000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4132-25-0x000001AD56720000-0x000001AD56820000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/4132-29-0x000001AD57880000-0x000001AD578A0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4132-36-0x000001AD57840000-0x000001AD57860000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4132-24-0x000001AD56720000-0x000001AD56820000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/4312-767-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/4388-1056-0x0000000003420000-0x0000000003421000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/4588-14-0x0000000000400000-0x000000000048C000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            560KB

                                                                                                                          • memory/4588-0-0x0000000000400000-0x000000000048C000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            560KB

                                                                                                                          • memory/4588-1-0x0000000000400000-0x000000000048C000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            560KB

                                                                                                                          • memory/4856-474-0x000001D76D100000-0x000001D76D200000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/4856-491-0x000001D76E200000-0x000001D76E220000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4856-503-0x000001D76E610000-0x000001D76E630000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4856-479-0x000001D76E240000-0x000001D76E260000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4856-476-0x000001D76D100000-0x000001D76D200000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/4856-475-0x000001D76D100000-0x000001D76D200000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/4916-202-0x0000027F44580000-0x0000027F445A0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4916-188-0x0000027F44170000-0x0000027F44190000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4916-185-0x0000027F441B0000-0x0000027F441D0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                          • memory/4916-180-0x0000027F43050000-0x0000027F43150000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                          • memory/4968-1206-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB