Analysis

  • max time kernel
    20s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 14:02

General

  • Target

    Levitator/Exungulate.ps1

  • Size

    54KB

  • MD5

    0d2ce39822e9236a380f4d1d53550e93

  • SHA1

    8381b0e62708112dbfbed036650bf0667ec4476b

  • SHA256

    ed34db2a55a35c90b524d2448353eb73d28da7d7ff401477165c226ff25de9af

  • SHA512

    f365bb861db3fc6d29736b3f8c0377bb4f8318fff94bc96033ae208760082b529b8aea4cf79de9efa3608c79ac91fe57e19f26959831f621bba8816e1013afc3

  • SSDEEP

    1536:L3ZsYDoSFyAkhotYr3XpNhdrWlR7uDZy4k:DiYMSFyVoANpy4k

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Levitator\Exungulate.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4584
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1352
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:836
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5000
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3340
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3388
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:1848
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:540
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1556
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Suspicious use of SendNotifyMessage
    PID:4120
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:1508
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3952
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:3164
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3612
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:3484
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:4624
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3236
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:3608
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:212
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:1660
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:1612
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:372
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:2252
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:400
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:4732
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:4020
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:1868
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:2612
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:3740
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:2476
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:4500
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:5000
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:1168
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:2280
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:872
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:3928
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                          PID:1696
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:840
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:4612
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:3708
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:3704
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:912
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:2108
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                      1⤵
                                                                        PID:4580
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:3772
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                          1⤵
                                                                            PID:2748
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:3844
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:2292
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                1⤵
                                                                                  PID:3180
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                  1⤵
                                                                                    PID:4564
                                                                                  • C:\Windows\explorer.exe
                                                                                    explorer.exe
                                                                                    1⤵
                                                                                      PID:3772
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                      1⤵
                                                                                        PID:4944
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                        1⤵
                                                                                          PID:2612
                                                                                        • C:\Windows\explorer.exe
                                                                                          explorer.exe
                                                                                          1⤵
                                                                                            PID:1508
                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                            1⤵
                                                                                              PID:2344
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                              1⤵
                                                                                                PID:2604
                                                                                              • C:\Windows\explorer.exe
                                                                                                explorer.exe
                                                                                                1⤵
                                                                                                  PID:2476
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                  1⤵
                                                                                                    PID:4936
                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                    1⤵
                                                                                                      PID:2724
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      explorer.exe
                                                                                                      1⤵
                                                                                                        PID:840
                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                        1⤵
                                                                                                          PID:2576
                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                          1⤵
                                                                                                            PID:2920
                                                                                                          • C:\Windows\explorer.exe
                                                                                                            explorer.exe
                                                                                                            1⤵
                                                                                                              PID:4312
                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                              1⤵
                                                                                                                PID:2828
                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                1⤵
                                                                                                                  PID:4304
                                                                                                                • C:\Windows\explorer.exe
                                                                                                                  explorer.exe
                                                                                                                  1⤵
                                                                                                                    PID:1624
                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                    1⤵
                                                                                                                      PID:2108
                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                      1⤵
                                                                                                                        PID:5080
                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                        explorer.exe
                                                                                                                        1⤵
                                                                                                                          PID:3928
                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                          1⤵
                                                                                                                            PID:4184
                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                            1⤵
                                                                                                                              PID:2748
                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                              explorer.exe
                                                                                                                              1⤵
                                                                                                                                PID:4480
                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                1⤵
                                                                                                                                  PID:1064

                                                                                                                                Network

                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                                                  Filesize

                                                                                                                                  471B

                                                                                                                                  MD5

                                                                                                                                  62c508511a794bcc4d6228a0b4ef61d1

                                                                                                                                  SHA1

                                                                                                                                  b4e378c16fa898c3a2169f9fecad811becae6635

                                                                                                                                  SHA256

                                                                                                                                  5ed56c9d8284974af69a48b972977e0fe4467995eb74e8741094cb99d8ff498a

                                                                                                                                  SHA512

                                                                                                                                  458bfbe6ed86badb5a1ca2368828e048da6cb641c334f09943d47cd61a58e9f15f054de28e6d4289351405792a3f68ce2bff3766613149e61cca6a4ab439193d

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                                                  Filesize

                                                                                                                                  412B

                                                                                                                                  MD5

                                                                                                                                  893eae469b892bf160b6ddba0dcf3098

                                                                                                                                  SHA1

                                                                                                                                  59e21d58efda21c881944e2e3b7e7f9ee33e9ec0

                                                                                                                                  SHA256

                                                                                                                                  522280573ff7c0e85dd36d036d0ddce2c54a8d0597bfa45ded4b98e96ed4c2db

                                                                                                                                  SHA512

                                                                                                                                  8f636291d35b5e34bf44f4726a56d461fdd79c1bacd981310fff75f4fdd1d800c1682c5e93ce2b17bc79272b749778781468f7e483e24a621627c4b40c7ad0f0

                                                                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  f61b49b1dab5a303794c7b11c0dd2d37

                                                                                                                                  SHA1

                                                                                                                                  165833f189fb34a3ef1da83e75e9173ed2a16f06

                                                                                                                                  SHA256

                                                                                                                                  4ed7f28074976d7f32422a1dbd5d0cd69f7f3b04223a7601bafb288f1199277a

                                                                                                                                  SHA512

                                                                                                                                  1cec99eddeecaa0de2cc688c2e985b50163589b3d762820a59fde52344b4025d6cc0693199eba1192b5ae5677e1eb51b5ff98c9946cec78d5ab6a4fe916c2d08

                                                                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133740793524160184.txt

                                                                                                                                  Filesize

                                                                                                                                  76KB

                                                                                                                                  MD5

                                                                                                                                  9e42aa59f6bebcb91986f32a5014233f

                                                                                                                                  SHA1

                                                                                                                                  496af56e926f9c929e3faf1b611ab2d59e34dafb

                                                                                                                                  SHA256

                                                                                                                                  da8189bb328fad3709b66b58c3eb2dc9459f0f046d2008a4dd5c6033422554dc

                                                                                                                                  SHA512

                                                                                                                                  acb2292a05b2c8bc805049d3de5c4b7a164cde50429254b0f2d91915306294551155a2be9a7355874981b2c33c19906a001dded653f0c7cacb6969c146862ce6

                                                                                                                                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\80GI1ZH7\microsoft.windows[1].xml

                                                                                                                                  Filesize

                                                                                                                                  97B

                                                                                                                                  MD5

                                                                                                                                  742f1cda58883699ef753f83244412ce

                                                                                                                                  SHA1

                                                                                                                                  38531f396e1d9dc9ba6bba0604149c377605f57a

                                                                                                                                  SHA256

                                                                                                                                  5ef67927e9fdebb14515728d51548c52536519b35b5a52728ca1d660d957025f

                                                                                                                                  SHA512

                                                                                                                                  11acf77cd15052ae9cf554ab666f6c1e629e174fad16659738a11bee6a53b857f375fe99701e7c14c14286193864449f5b88a208ff34f4874e8351dff6a3a6f2

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bh224eui.dqz.ps1

                                                                                                                                  Filesize

                                                                                                                                  60B

                                                                                                                                  MD5

                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                  SHA1

                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                  SHA256

                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                  SHA512

                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                • memory/212-776-0x0000000004750000-0x0000000004751000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/372-925-0x0000000004C80000-0x0000000004C81000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/400-943-0x000001AE064E0000-0x000001AE06500000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/400-926-0x000001AE04700000-0x000001AE04800000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/400-927-0x000001AE04700000-0x000001AE04800000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/400-931-0x000001AE06520000-0x000001AE06540000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/400-962-0x000001AE06B00000-0x000001AE06B20000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/400-928-0x000001AE04700000-0x000001AE04800000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/1168-1361-0x000002811C940000-0x000002811C960000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1168-1357-0x000002811B800000-0x000002811B900000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/1168-1356-0x000002811B800000-0x000002811B900000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/1556-228-0x0000020589FA0000-0x0000020589FC0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1556-201-0x0000020589FE0000-0x000002058A000000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1556-229-0x000002058A6B0000-0x000002058A6D0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1612-813-0x0000018751DC0000-0x0000018751DE0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1612-777-0x0000018750800000-0x0000018750900000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/1612-779-0x0000018750800000-0x0000018750900000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/1612-782-0x0000018751960000-0x0000018751980000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1612-792-0x0000018751920000-0x0000018751940000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1848-193-0x0000000002F80000-0x0000000002F81000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/1868-1101-0x00000257101D0000-0x00000257101F0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1868-1115-0x00000257107E0000-0x0000025710800000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/1868-1079-0x000002570F300000-0x000002570F400000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/1868-1083-0x0000025710420000-0x0000025710440000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/2476-1233-0x00000203852E0000-0x0000020385300000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/2476-1228-0x0000020383600000-0x0000020383700000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/2476-1229-0x0000020383600000-0x0000020383700000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/2476-1254-0x00000203858F0000-0x0000020385910000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/2476-1253-0x00000203852A0000-0x00000203852C0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/2612-1226-0x0000000004640000-0x0000000004641000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/3164-492-0x00000000045A0000-0x00000000045A1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/3388-63-0x000001FD4E790000-0x000001FD4E7B0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3388-35-0x000001FD4E3C0000-0x000001FD4E3E0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3388-47-0x000001FD4E380000-0x000001FD4E3A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3388-31-0x000001FD4D3A0000-0x000001FD4D4A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/3484-494-0x0000023B53F00000-0x0000023B54000000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/3484-508-0x0000024355FA0000-0x0000024355FC0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3484-496-0x0000023B53F00000-0x0000023B54000000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/3484-514-0x0000024356640000-0x0000024356660000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3484-499-0x0000024355FE0000-0x0000024356000000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3608-649-0x0000022B7EE40000-0x0000022B7EE60000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3608-665-0x0000022B7F250000-0x0000022B7F270000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3608-632-0x0000022B7DD20000-0x0000022B7DE20000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/3608-637-0x0000022B7EE80000-0x0000022B7EEA0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3952-385-0x0000023F5F420000-0x0000023F5F440000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3952-367-0x0000023F5F020000-0x0000023F5F040000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3952-353-0x0000023F5F060000-0x0000023F5F080000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                • memory/3952-348-0x0000023F5DF00000-0x0000023F5E000000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/3952-349-0x0000023F5DF00000-0x0000023F5E000000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/3952-350-0x0000023F5DF00000-0x0000023F5E000000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1024KB

                                                                                                                                • memory/4120-346-0x00000000049E0000-0x00000000049E1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/4500-1355-0x00000000045F0000-0x00000000045F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/4584-13-0x000002C260A00000-0x000002C260A2A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  168KB

                                                                                                                                • memory/4584-15-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                • memory/4584-10-0x000002C260600000-0x000002C260622000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                • memory/4584-20-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                • memory/4584-19-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                • memory/4584-18-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                • memory/4584-16-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                • memory/4584-11-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                • memory/4584-12-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                • memory/4584-14-0x000002C260A00000-0x000002C260A24000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  144KB

                                                                                                                                • memory/4584-0-0x00007FFEF6F03000-0x00007FFEF6F05000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                • memory/4624-630-0x0000000004F10000-0x0000000004F11000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/4732-1076-0x0000000004980000-0x0000000004981000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/5000-29-0x0000000004730000-0x0000000004731000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB