Overview

overview

10

Static

static

1

Factura029...f..exe

windows7-x64

5

Factura029...f..exe

windows10-2004-x64

10

Monotheistic154.ps1

windows7-x64

3

Monotheistic154.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    78s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Monotheistic154.ps1

  • Size

    52KB

  • MD5

    319c227e068176aaecd7365843c8bf48

  • SHA1

    079e87e0de433023e0031ba596036e69b7785fbd

  • SHA256

    ccccc37ddb764f9ecaa067032f53db5ed67b0fff95985958a966100b97c0d583

  • SHA512

    1d55477dfb7299aa68d06247f8f3a5d4e03fe7ec65c65feaef29ebc1d8d166da5f98643806e00f9724d6d4de7fd6ee538441233a6618e0345901c21d7d378f39

  • SSDEEP

    1536:dYB9gMUl+4lSKkmsNL9Q0pgq/t9TelB/AVE:KBeMUl+4EKkmsdpxtVgb

Score
8/10
executionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 16 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 32 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Monotheistic154.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:904
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5112
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:208
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1924
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2532
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3756
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Suspicious use of SendNotifyMessage
    PID:4356
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1364
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:936
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Suspicious use of SendNotifyMessage
    PID:1352
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2108
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3820
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3584
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3436
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:4724
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:808
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4752
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4460
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3784
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1936
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3096
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:2604
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3840
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2924
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:208
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1636
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:3824
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3436
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2264
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4000
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4656
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1760
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:976
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4992
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3328
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4884
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2224
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:2328
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:3068
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3488
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2812
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4024
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4996
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2424
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4752
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:904
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:4908
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:4700
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:964
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:5080
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:5056
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:4268
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:4464
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:4612
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:2816
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3436
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4576
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:3696
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:1636
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                  PID:4884
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:3544
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:3860
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:3400

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                        Filesize

                                        471B

                                        MD5

                                        1f2d7ef8cddbdc9993dc3cecd01e96bc

                                        SHA1

                                        effd0abf0646b67f5407fa732df673e739df49dc

                                        SHA256

                                        6cb9f916579a761bbbfb9c04b284221d0559730c32472e175199188ad6334096

                                        SHA512

                                        b485ba08413f718ec39ab45f92be1345d95cd29cf63637e2768d52bbe89c6967fdf02efb4da9a1381751f0ae5b272c21f547d982fc1a412edb4e7fda04bc04d0

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                        Filesize

                                        412B

                                        MD5

                                        6e1cafcb98f63a95a72dab5b1b8d28f5

                                        SHA1

                                        762412854f310738cdee86b5de989af7eca324a7

                                        SHA256

                                        6d6a94fe4c91c587ec0295d41f4d433b90ed7b11aca41180152c716f67168232

                                        SHA512

                                        3dc7dfe0a12fa923226be69e656bd8c23d29b6f7e35829559498381e7757929187bf27b315ea4fc89d2e13887ec2b7b999a87cde2aa333358776409f27d23989

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                        Filesize

                                        2KB

                                        MD5

                                        8523dd8ba26937572d42ed90dd2d5957

                                        SHA1

                                        faa9c31b2ecdf135d0cc5044026328cfbfe74c34

                                        SHA256

                                        df5a4b4c42c6f9627ec25332e91089490e983a1b2f8e583130e9046b0ba7901f

                                        SHA512

                                        f030a5247114d9f3dad28a988e1917acfb92b83c1656770596f7f098d194888371e2afb43db868c98c40906ec01160714be9bb07614eba3de84b6c88310b5cbc

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133757890524499212.txt
                                        Filesize

                                        76KB

                                        MD5

                                        15c550ce9a5a36c78a72d437d959b4c2

                                        SHA1

                                        e9f50fe567bbf26c30ce2750e93c82f66e92ad0a

                                        SHA256

                                        7f29cdcf7048356a21d4e7fa45dcdd56801f22f799c07245eb0dbe8ab17aeefc

                                        SHA512

                                        f91a6f99ba246c7bba30c97493249849cdc9ce521bf6c26d68cd4beec4bad3c1bbe7d247e99df5b2c2dd1be656307252529092e44e0a278efc96abc07b471888

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M6JCG2RK\microsoft.windows[1].xml
                                        Filesize

                                        96B

                                        MD5

                                        732a32ad072ef786d816a4f85b1b6bea

                                        SHA1

                                        fe1945717c160ac3266f291564a003c044d409b0

                                        SHA256

                                        7dd2262373fcd6ebe2ed2c6e66242c85b1434c3fe23ca92ba41ae328ce8b941e

                                        SHA512

                                        55b57d5bf942f20a3557f20adeebb4c01cde4aec9d7a4fa8bfe6281fe0981773d8ce637fdbd1dc64f25abe72d75fad2a6538fadc86483ede9fdc5b59c0d36b79

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgcmkx44.nly.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • memory/208-1065-0x0000000004650000-0x0000000004651000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/808-623-0x0000000004A10000-0x0000000004A11000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/904-20-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/904-18-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/904-0-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/904-17-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/904-12-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/904-11-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/904-13-0x000002C3E7230000-0x000002C3E725A000-memory.dmp

                                        Filesize

                                        168KB

                                        Download

                                      • memory/904-15-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/904-14-0x000002C3E7230000-0x000002C3E7254000-memory.dmp

                                        Filesize

                                        144KB

                                        Download

                                      • memory/904-19-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/904-1-0x000002C3E6EC0000-0x000002C3E6EE2000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/936-180-0x000001DE23600000-0x000001DE23700000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/936-195-0x000001DE24480000-0x000001DE244A0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/936-179-0x000001DE23600000-0x000001DE23700000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/936-178-0x000001DE23600000-0x000001DE23700000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/936-183-0x000001DE244C0000-0x000001DE244E0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/936-210-0x000001DE24AA0000-0x000001DE24AC0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/976-1366-0x00000000043B0000-0x00000000043B1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1352-323-0x0000000004500000-0x0000000004501000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1924-28-0x0000000003850000-0x0000000003851000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2328-1517-0x000001AAC0000000-0x000001AAC0100000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/2604-913-0x0000000004E70000-0x0000000004E71000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2924-920-0x0000022146BE0000-0x0000022146C00000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/2924-952-0x00000221472B0000-0x00000221472D0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/2924-931-0x0000022146BA0000-0x0000022146BC0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3096-783-0x000002305E450000-0x000002305E470000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3096-771-0x000002305E490000-0x000002305E4B0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3096-767-0x000002305D540000-0x000002305D640000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/3096-794-0x000002305EA60000-0x000002305EA80000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3096-766-0x000002305D540000-0x000002305D640000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/3328-1404-0x000002DA93570000-0x000002DA93590000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3328-1368-0x000002DA92040000-0x000002DA92140000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/3328-1369-0x000002DA92040000-0x000002DA92140000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/3328-1373-0x000002DA92FA0000-0x000002DA92FC0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3328-1386-0x000002DA92F60000-0x000002DA92F80000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3436-1217-0x00000000045B0000-0x00000000045B1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3584-471-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3756-31-0x000001F353770000-0x000001F353870000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/3756-44-0x000001F354750000-0x000001F354770000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3756-56-0x000001F354B60000-0x000001F354B80000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3756-35-0x000001F354790000-0x000001F3547B0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3784-764-0x0000000004D10000-0x0000000004D11000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3820-340-0x0000026161940000-0x0000026161960000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3820-361-0x0000026161D50000-0x0000026161D70000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3820-329-0x0000026161980000-0x00000261619A0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3824-1069-0x0000017D6EA00000-0x0000017D6EB00000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/3824-1104-0x0000018570EF0000-0x0000018570F10000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3824-1072-0x0000018570B20000-0x0000018570B40000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/3824-1085-0x00000185707E0000-0x0000018570800000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4000-1221-0x000002461EC20000-0x000002461ED20000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/4000-1219-0x000002461EC20000-0x000002461ED20000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/4000-1220-0x000002461EC20000-0x000002461ED20000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/4000-1224-0x000002461FD70000-0x000002461FD90000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4000-1234-0x000002461FD30000-0x000002461FD50000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4000-1256-0x0000024620140000-0x0000024620160000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4356-176-0x00000000045B0000-0x00000000045B1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4460-629-0x0000026E11C70000-0x0000026E11C90000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4460-625-0x000002660F500000-0x000002660F600000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/4460-651-0x0000026E12040000-0x0000026E12060000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4460-638-0x0000026E11C30000-0x0000026E11C50000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4724-509-0x000001680E580000-0x000001680E5A0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4724-493-0x000001680E170000-0x000001680E190000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4724-477-0x000001680E1B0000-0x000001680E1D0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/4724-474-0x000001680D050000-0x000001680D150000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/4724-473-0x000001680D050000-0x000001680D150000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/4884-1515-0x00000000041A0000-0x00000000041A1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download