Overview

overview

10

Static

static

1

4f0c13bf16...3N.exe

windows7-x64

8

4f0c13bf16...3N.exe

windows10-2004-x64

10

Sharpness.ps1

windows7-x64

3

Sharpness.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    40s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sharpness.ps1

  • Size

    54KB

  • MD5

    a455a44aa414354fe74ee543bbf64451

  • SHA1

    4d73664950e0b77b2f05eebce4e5c3d549cc18ea

  • SHA256

    c7dac58dcad45abf34bee7c7567a746fada583c0e734d204ed2f71617c4b7b31

  • SHA512

    a9bedcaa864985c0ec2f9eb521983d23f7b58689922f39305d17fa39aa41ef02be8bec3fc99d22caba1c34c56d6d68160f9dea27bc207eda83f97cc47f852fa7

  • SSDEEP

    768:13Zs6XOqDlTXziiIlncM1oM1XgGZstyjmPcWCqqGKmafPMrV4yIAXBMWWYUGrY1b:1K69DF+lcM1tZaGK/QNAxIQsb

Score
8/10
executionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 16 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Sharpness.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1648
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4192
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4516
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3628
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:5044
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4464
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:4232
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4100
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4240
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:4056
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:512
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2012
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3556
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4092
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1004
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:1744
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4120
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4056
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:1528
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1120
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2504
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4624
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3192
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:1104
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:1872
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:4156
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:1424
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:1104
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:1524
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:4352
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4156
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:1052
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:4872
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:3504
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:2772
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:4280
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:4796
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:2320
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:2996
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:3192
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:972
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:1376
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:3512
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:512
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:3776
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:1524
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:3700
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:1228
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:4344
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:1252
                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:4628
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:3096
                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                1⤵
                                                                  PID:3408
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                    PID:3808
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:1952
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                      1⤵
                                                                        PID:4404
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:4520
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:2252
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                            1⤵
                                                                              PID:2004
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                              1⤵
                                                                                PID:744
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:4264
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:3808
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:4160
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:4196
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:1680
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:1804
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:3808
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                              1⤵
                                                                                                PID:1132
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                1⤵
                                                                                                  PID:4316
                                                                                                • C:\Windows\explorer.exe
                                                                                                  explorer.exe
                                                                                                  1⤵
                                                                                                    PID:4156

                                                                                                  Network

                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                  Replay Monitor

                                                                                                  Loading Replay Monitor...

                                                                                                  Downloads

                                                                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                                                                                    Filesize

                                                                                                    2KB

                                                                                                    MD5

                                                                                                    f5fa317e86fbbb98d25ec465835e171a

                                                                                                    SHA1

                                                                                                    eb14621ca5cb1391ba732a528c09b2e9e8c266ef

                                                                                                    SHA256

                                                                                                    7421b5176ac2bb629beb4d335ef64507b244e2ab24bb75591fc9d647d570b8d4

                                                                                                    SHA512

                                                                                                    cd2980580ad573f64d3bf3b8157325cc0f1fd450b8d1430a9a3095b78ddbd9d8beddcf17fef2d43a60884ce7a7ac87e063292632870d8b9fe36c1e7721a54078

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133731517004874219.txt
                                                                                                    Filesize

                                                                                                    75KB

                                                                                                    MD5

                                                                                                    1cbb9ce97809bf169553a750b8087f63

                                                                                                    SHA1

                                                                                                    fd52559722984282b2ce33f61649044f96fc9746

                                                                                                    SHA256

                                                                                                    c37340b605d39d57148fc496d4cafae7239d10c5e5bc6e01102c8041f5a914a4

                                                                                                    SHA512

                                                                                                    cd9d048474bcbbec6b7c7a3e84f8f2c654e5930c3ce68c37515f8589f35895c85891142e12925344b9ccbc1f067c03ed11ba97b23228054a7591083221557c60

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\LLDJA3WI\microsoft.windows[1].xml
                                                                                                    Filesize

                                                                                                    97B

                                                                                                    MD5

                                                                                                    372706547a804b876522fe741dbfc040

                                                                                                    SHA1

                                                                                                    9bca733d6804f24c6841ef02b52e8ade1b45d7e4

                                                                                                    SHA256

                                                                                                    09fe1eb66c953d75dc66ff6df9237cde5f419fb25fab6327de9cde6676219651

                                                                                                    SHA512

                                                                                                    cc8057de048bf5646e41bed6f01111328bceae9abb4282a4ee1be635d086b6b3647cb5cc17cc3564980e5e31342a767dc639e536edbd3720df6b35ac7ebce34a

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jtkqavjh.bpa.ps1
                                                                                                    Filesize

                                                                                                    60B

                                                                                                    MD5

                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                    SHA1

                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                    SHA256

                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                    SHA512

                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                    Download Submit

                                                                                                  • memory/1004-489-0x0000026BC6F70000-0x0000026BC6F90000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1004-499-0x0000026BC7380000-0x0000026BC73A0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1004-481-0x0000026BC6FB0000-0x0000026BC6FD0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1004-477-0x0000026BC5E50000-0x0000026BC5F50000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1004-476-0x0000026BC5E50000-0x0000026BC5F50000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1104-908-0x000001C4F8920000-0x000001C4F8A20000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1104-923-0x000001C4F9A40000-0x000001C4F9A60000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1104-909-0x000001C4F8920000-0x000001C4F8A20000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1104-1208-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/1104-910-0x000001C4F8920000-0x000001C4F8A20000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1104-913-0x000001C4F9A80000-0x000001C4F9AA0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1104-934-0x000001C4F9E50000-0x000001C4F9E70000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1424-1061-0x000001FADB500000-0x000001FADB600000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1424-1097-0x000001FADCA20000-0x000001FADCA40000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1424-1070-0x000001FADC620000-0x000001FADC640000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1424-1062-0x000001FADB500000-0x000001FADB600000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1424-1065-0x000001FADC660000-0x000001FADC680000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/1424-1060-0x000001FADB500000-0x000001FADB600000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/1528-761-0x0000000004C00000-0x0000000004C01000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/1648-14-0x000001CFC67C0000-0x000001CFC67E4000-memory.dmp

                                                                                                    Filesize

                                                                                                    144KB

                                                                                                    Download

                                                                                                  • memory/1648-16-0x00007FFEBA840000-0x00007FFEBB301000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/1648-0-0x00007FFEBA843000-0x00007FFEBA845000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                    Download

                                                                                                  • memory/1648-18-0x00007FFEBA840000-0x00007FFEBB301000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/1648-15-0x00007FFEBA840000-0x00007FFEBB301000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/1648-20-0x00007FFEBA840000-0x00007FFEBB301000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/1648-19-0x00007FFEBA840000-0x00007FFEBB301000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/1648-6-0x000001CFAD3C0000-0x000001CFAD3E2000-memory.dmp

                                                                                                    Filesize

                                                                                                    136KB

                                                                                                    Download

                                                                                                  • memory/1648-11-0x00007FFEBA840000-0x00007FFEBB301000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/1648-12-0x00007FFEBA840000-0x00007FFEBB301000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/1648-13-0x000001CFC67C0000-0x000001CFC67EA000-memory.dmp

                                                                                                    Filesize

                                                                                                    168KB

                                                                                                    Download

                                                                                                  • memory/1744-619-0x0000000004370000-0x0000000004371000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/1872-1059-0x0000000004860000-0x0000000004861000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/2012-338-0x0000023F32000000-0x0000023F32100000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/2012-352-0x0000023F33120000-0x0000023F33140000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/2012-363-0x0000023F33520000-0x0000023F33540000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/2012-337-0x0000023F32000000-0x0000023F32100000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/2012-342-0x0000023F33160000-0x0000023F33180000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/2012-339-0x0000023F32000000-0x0000023F32100000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/2504-796-0x0000024F618A0000-0x0000024F618C0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/2504-768-0x0000024F612C0000-0x0000024F612E0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/2504-779-0x0000024F61280000-0x0000024F612A0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/2504-763-0x0000024F60360000-0x0000024F60460000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/3556-474-0x00000000042B0000-0x00000000042B1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/3628-23-0x0000000004D90000-0x0000000004D91000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/4056-626-0x000001F00E8C0000-0x000001F00E8E0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4056-632-0x000001F00E880000-0x000001F00E8A0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4056-621-0x000001F00D960000-0x000001F00DA60000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/4056-336-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/4056-645-0x000001F00EEA0000-0x000001F00EEC0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4056-622-0x000001F00D960000-0x000001F00DA60000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/4156-1349-0x0000000004E10000-0x0000000004E11000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/4232-185-0x0000000004930000-0x0000000004931000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/4240-192-0x0000025E6E060000-0x0000025E6E080000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4240-189-0x0000025E6CF00000-0x0000025E6D000000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/4240-216-0x0000025E6E420000-0x0000025E6E440000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4240-202-0x0000025E6E020000-0x0000025E6E040000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4240-188-0x0000025E6CF00000-0x0000025E6D000000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/4352-1246-0x00000254D1620000-0x00000254D1640000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4352-1228-0x00000254D1220000-0x00000254D1240000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4352-1209-0x00000254CFF00000-0x00000254D0000000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/4352-1214-0x00000254D1260000-0x00000254D1280000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4464-53-0x0000022FE9A50000-0x0000022FE9A70000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4464-25-0x0000022FE8520000-0x0000022FE8620000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/4464-26-0x0000022FE8520000-0x0000022FE8620000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download

                                                                                                  • memory/4464-30-0x0000022FE9680000-0x0000022FE96A0000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4464-43-0x0000022FE9640000-0x0000022FE9660000-memory.dmp

                                                                                                    Filesize

                                                                                                    128KB

                                                                                                    Download

                                                                                                  • memory/4624-906-0x0000000004750000-0x0000000004751000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/4872-1351-0x000001C2DB800000-0x000001C2DB900000-memory.dmp

                                                                                                    Filesize

                                                                                                    1024KB

                                                                                                    Download