Analysis

  • max time kernel
    69s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2024, 08:02

General

  • Target

    Fangarme/Unfrocked/Beside.ps1

  • Size

    57KB

  • MD5

    4b7717b799924b965c87395fd3525e75

  • SHA1

    497905fee98b47d49d2a307e63a3a150e9024da4

  • SHA256

    3328223bc86a8827b1790755d0c91c6b7f3cea91b18f8cfb24247ca0526ecf60

  • SHA512

    eabcd57e04d51874ef723663443f4f61abd1a11877f9c78e9724e1af0407f8f89fe4e22df66af96f3a3654b77fb197c8d93235764d52b3a91c513fed8a66ba0e

  • SSDEEP

    768:W/CIxu9s4ROzL5W7brBAkk9uBsiSq2mGj2hwHjhImHYlNQmu+DVgku/thQk:UyxRO3I7tyiSq2Xj2hSQnWEmN/TQk

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 14 IoCs
  • Enumerates connected drives 3 TTPs 28 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Fangarme\Unfrocked\Beside.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:4060
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2324
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4332
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1284
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1428
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2884
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:4672
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2008
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:3868
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3308
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4012
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4976
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3208
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1152
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4508
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4988
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4320
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      PID:4324
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3040
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:560
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4004
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1456
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4576
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:676
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:3804
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3688
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4324
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:3088
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4644
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4080
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1836
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3844
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4268
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:5024
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:968
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3872
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1752
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2896
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:5056
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:3180
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:4468
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:3816
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:4240
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:2268
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:2900
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:1616
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:1380
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:4980
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:1504
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:4900
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:4424
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:2788
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:3624
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:3240
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:432
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:1336
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:2012
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:4084
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:1500
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:2996
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:392
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:1096
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:3384
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                          PID:3112
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:1140
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:1720
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:4900
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:4580
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:4652
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:3180
                                                                    • C:\Windows\explorer.exe
                                                                      explorer.exe
                                                                      1⤵
                                                                        PID:4428
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                        1⤵
                                                                          PID:4396
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:452
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:3020
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                              1⤵
                                                                                PID:4852
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:3728
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:4444
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:3756
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:3936
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:4584
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:3212
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:4924
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                              1⤵
                                                                                                PID:4448
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                1⤵
                                                                                                  PID:4444
                                                                                                • C:\Windows\explorer.exe
                                                                                                  explorer.exe
                                                                                                  1⤵
                                                                                                    PID:2768
                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                    1⤵
                                                                                                      PID:704

                                                                                                    Network

                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                    Replay Monitor

                                                                                                    Loading Replay Monitor...

                                                                                                    Downloads

                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                      Filesize

                                                                                                      471B

                                                                                                      MD5

                                                                                                      6475b19cdf10d6f0ccf27ebf0fe76309

                                                                                                      SHA1

                                                                                                      6c3ca7a137c2b3041cdb22c994bba356e33f93c4

                                                                                                      SHA256

                                                                                                      635f833910db4e0915ecfe0d515341d4feec384dd83d6309f71f336c838a75d1

                                                                                                      SHA512

                                                                                                      9f695eae05fd9bc6f775cd2e8ec1a235976d82bf8b206449b0595e97afd335b31e79706b281b920e08de6d90a05a7e8b777f6d15bdbf815e61bf96e19542f4ce

                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                      Filesize

                                                                                                      412B

                                                                                                      MD5

                                                                                                      e2569a471789cdb39b42e3184be1b4a6

                                                                                                      SHA1

                                                                                                      8abb7c7f205fb0d426f0621360d6927433630ace

                                                                                                      SHA256

                                                                                                      fa44ef3ea72aaabbffc68616727064af70c7d04743f6b38bf570ba85e23d1f86

                                                                                                      SHA512

                                                                                                      86d1d3b3804a666fda351b4779678f4677d94b6fc8227c9a351d0d76a72edab527ac382ee266d6122a61431f5e0e94ab1b1377edd466102061968cc2e5b52ea0

                                                                                                    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml

                                                                                                      Filesize

                                                                                                      96B

                                                                                                      MD5

                                                                                                      2415f1b0b1e5150e9f1e871081fd1fad

                                                                                                      SHA1

                                                                                                      a79e4bfddc3daf75f059fda3547bd18282d993f7

                                                                                                      SHA256

                                                                                                      3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae

                                                                                                      SHA512

                                                                                                      5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_41ppyncv.1jh.ps1

                                                                                                      Filesize

                                                                                                      60B

                                                                                                      MD5

                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                      SHA1

                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                      SHA256

                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                      SHA512

                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                    • memory/432-364-0x0000000004880000-0x0000000004881000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/676-125-0x000002CA4C870000-0x000002CA4C890000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/676-130-0x000002CA4CC40000-0x000002CA4CC60000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/676-127-0x000002CA4C830000-0x000002CA4C850000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/1152-83-0x000002B7877C0000-0x000002B7877E0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/1152-81-0x000002B7871A0000-0x000002B7871C0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/1152-79-0x000002B7871E0000-0x000002B787200000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/1284-26-0x0000000004780000-0x0000000004781000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/1456-117-0x0000000004680000-0x0000000004681000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/1504-318-0x0000000004A50000-0x0000000004A51000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/1616-295-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/1752-229-0x0000000003240000-0x0000000003241000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/1836-186-0x0000000004720000-0x0000000004721000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/2012-374-0x0000018921EC0000-0x0000018921EE0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2012-376-0x00000189224E0000-0x0000018922500000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2012-372-0x0000018921F00000-0x0000018921F20000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2788-342-0x0000000004B30000-0x0000000004B31000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/2884-36-0x0000028820410000-0x0000028820430000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2884-35-0x0000028820000000-0x0000028820020000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2884-33-0x0000028820040000-0x0000028820060000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2900-285-0x0000016B4CA20000-0x0000016B4CA40000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2900-283-0x0000016B4CA60000-0x0000016B4CA80000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/2900-287-0x0000016B4CE20000-0x0000016B4CE40000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3088-163-0x00000000049F0000-0x00000000049F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/3180-253-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/3240-353-0x0000024ACD790000-0x0000024ACD7B0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3240-351-0x0000024ACD380000-0x0000024ACD3A0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3240-349-0x0000024ACD3C0000-0x0000024ACD3E0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3804-140-0x0000000004E60000-0x0000000004E61000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/3816-260-0x00000203B4260000-0x00000203B4280000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3816-262-0x00000203B4220000-0x00000203B4240000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3816-264-0x00000203B4620000-0x00000203B4640000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3868-48-0x0000000003E60000-0x0000000003E61000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/3872-218-0x000001B213640000-0x000001B213660000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3872-216-0x000001B213230000-0x000001B213250000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/3872-214-0x000001B213270000-0x000001B213290000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4012-58-0x000001E68B130000-0x000001E68B150000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4012-56-0x000001E68B170000-0x000001E68B190000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4012-60-0x000001E68B540000-0x000001E68B560000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4080-173-0x0000022BD25F0000-0x0000022BD2610000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4080-171-0x0000022BD2630000-0x0000022BD2650000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4080-175-0x0000022BD2A00000-0x0000022BD2A20000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4240-275-0x0000000003F10000-0x0000000003F11000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/4268-194-0x000001BB8A3C0000-0x000001BB8A3E0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4268-196-0x000001BB8A380000-0x000001BB8A3A0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4268-198-0x000001BB8A790000-0x000001BB8A7B0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4320-104-0x000001FDBA640000-0x000001FDBA660000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4320-99-0x000001FDBA270000-0x000001FDBA290000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4320-101-0x000001FDBA230000-0x000001FDBA250000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4324-152-0x000001FD4C060000-0x000001FD4C080000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4324-148-0x000001FD4BC90000-0x000001FD4BCB0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4324-150-0x000001FD4BC50000-0x000001FD4BC70000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4424-330-0x000002B4A0FF0000-0x000002B4A1010000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4424-328-0x000002B4A0BE0000-0x000002B4A0C00000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4424-326-0x000002B4A0C20000-0x000002B4A0C40000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4508-91-0x00000000042A0000-0x00000000042A1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/4652-17-0x0000025674010000-0x0000025674014000-memory.dmp

                                                                                                      Filesize

                                                                                                      16KB

                                                                                                    • memory/4652-5-0x0000025658E60000-0x0000025658E82000-memory.dmp

                                                                                                      Filesize

                                                                                                      136KB

                                                                                                    • memory/4652-13-0x00000256713A0000-0x00000256713B0000-memory.dmp

                                                                                                      Filesize

                                                                                                      64KB

                                                                                                    • memory/4652-14-0x00000256713A0000-0x00000256713B0000-memory.dmp

                                                                                                      Filesize

                                                                                                      64KB

                                                                                                    • memory/4652-16-0x00000256713A0000-0x00000256713B0000-memory.dmp

                                                                                                      Filesize

                                                                                                      64KB

                                                                                                    • memory/4652-18-0x00007FFFD7B70000-0x00007FFFD8631000-memory.dmp

                                                                                                      Filesize

                                                                                                      10.8MB

                                                                                                    • memory/4652-10-0x00007FFFD7B70000-0x00007FFFD8631000-memory.dmp

                                                                                                      Filesize

                                                                                                      10.8MB

                                                                                                    • memory/4652-11-0x00000256713A0000-0x00000256713B0000-memory.dmp

                                                                                                      Filesize

                                                                                                      64KB

                                                                                                    • memory/4652-12-0x00000256713A0000-0x00000256713B0000-memory.dmp

                                                                                                      Filesize

                                                                                                      64KB

                                                                                                    • memory/4976-71-0x00000000047A0000-0x00000000047A1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/4980-307-0x0000020240950000-0x0000020240970000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4980-305-0x0000020240540000-0x0000020240560000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/4980-303-0x0000020240580000-0x00000202405A0000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/5024-207-0x0000000002720000-0x0000000002721000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                    • memory/5056-241-0x000001C827E40000-0x000001C827E60000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/5056-239-0x000001C827A30000-0x000001C827A50000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                    • memory/5056-237-0x000001C827A70000-0x000001C827A90000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB