Overview

overview

10

Static

static

1

5b23cfc94f...1N.exe

windows7-x64

5

5b23cfc94f...1N.exe

windows10-2004-x64

10

Tegnmaessig.ps1

windows7-x64

3

Tegnmaessig.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    38s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tegnmaessig.ps1

  • Size

    55KB

  • MD5

    dbf1218b52e9c36ac61fd9588182d410

  • SHA1

    ca5b4f38b71cd9ca075b8c58d0841e56d8f49da8

  • SHA256

    8bebca4215d24a6f6ec02c135f9076a39d95ba3ae7a7487897021028ca219a68

  • SHA512

    fc50ae502ca65bed1884fd131bb89a7f5bb261079374101fe4d1d7ff1e03cffcf370c7cd7f096d65f92054164fbcc28d3e53e7f3b98c556f15fcd9f000f7e634

  • SSDEEP

    1536:2iPb6qkSSZ0oVqNj+pwQVV/P/Y99A7tGEijnOYN:BlSZ08qWwCtPqwtMx

Score
8/10
executionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Tegnmaessig.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3076
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2376
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3788
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1932
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4044
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2424
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:4536
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3696
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2236
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:4212
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2092
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2848
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:4244
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3972
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4020
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:3404
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4952
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4764
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:3952
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1924
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:388
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    PID:4736
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3936
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:1968
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:2508
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:1916
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:1236
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:1124
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:2192
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:2092
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:3052
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:664
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:2752
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:4568
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:4408
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:3120
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:4040
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:1892
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:2652
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:1344
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:4740
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:1560
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:2480
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:1296
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:4260
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:2344
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:1660
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:5108
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:4820
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:1688
                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:4312
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:2328
                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                1⤵
                                                                  PID:4984
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                    PID:3884
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:2340
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                      1⤵
                                                                        PID:4520
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:4052
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:4212
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                            1⤵
                                                                              PID:2636
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                              1⤵
                                                                                PID:2872
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:3024
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:464
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:2040
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:1972
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:2824
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:3368
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:4880
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                              1⤵
                                                                                                PID:4496
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                1⤵
                                                                                                  PID:4672
                                                                                                • C:\Windows\explorer.exe
                                                                                                  explorer.exe
                                                                                                  1⤵
                                                                                                    PID:3420
                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                    1⤵
                                                                                                      PID:2596
                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                      1⤵
                                                                                                        PID:2340

                                                                                                      Network

                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                      Replay Monitor

                                                                                                      Loading Replay Monitor...

                                                                                                      Downloads

                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                                                                                        Filesize

                                                                                                        471B

                                                                                                        MD5

                                                                                                        30d789b35d3bd299a14928813b7e44d4

                                                                                                        SHA1

                                                                                                        e15e8ba29c922523eceb4a885245a03686e6c676

                                                                                                        SHA256

                                                                                                        5711db392f67108217ac88cf7daf5dc837befd256e7e5b64f598cc59b6d08a6d

                                                                                                        SHA512

                                                                                                        3c1d2633ca381204cbfbd46e2ffff2714fefff2c1275181c6b0b597b649d0a6712ce6868627db669aa25073061ff0be9f2f43e17b2fd4725ff6a8ccd213f90db

                                                                                                        Download Submit

                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                                                                                        Filesize

                                                                                                        412B

                                                                                                        MD5

                                                                                                        40a9bd0ff4d5b9620cef45ec0a391e34

                                                                                                        SHA1

                                                                                                        750100f56505b2b00573c4f5066e39354ae1528b

                                                                                                        SHA256

                                                                                                        65ead3598dbbe44f5bd098d7361cbc1d2fd708b7802cb5871618a1f08d80d2af

                                                                                                        SHA512

                                                                                                        6965d057e8a34dcd3f801290ca5190ad25b7b4ba4243ff06a8ca9d2434dbc26380f4559a01cdf38048ed2ed7d4345d928e15d051f1bcd0e0c9f20d9bf07b169f

                                                                                                        Download Submit

                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                                                                                        Filesize

                                                                                                        2KB

                                                                                                        MD5

                                                                                                        1c0852f2b4c3c9c4811ee0191c3c8e8a

                                                                                                        SHA1

                                                                                                        d1f79f9d1deaf9dd49bd9843b95f9c55586e5dcc

                                                                                                        SHA256

                                                                                                        edcc0707f1cfc98ba5e4264712e39fcba8c1664010ffecade2f188767ce84d72

                                                                                                        SHA512

                                                                                                        0db714f873943ff2bb67abac281ea850dbc89f665afb0b203c302a61b41d55a240ca374fd1ee43b80a52b1494e6122d4c0957e3b941884525ec67684ed2cdd29

                                                                                                        Download Submit

                                                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YCLWQ4BV\microsoft.windows[1].xml
                                                                                                        Filesize

                                                                                                        97B

                                                                                                        MD5

                                                                                                        781c2d6d1f6f2f8ae243c569925a6c44

                                                                                                        SHA1

                                                                                                        6d5d26acc2002f5a507bd517051095a97501931b

                                                                                                        SHA256

                                                                                                        70687e419879f006d0c50c08657c66b1187b94ea216cfe0a2e6be8bd2de77bc8

                                                                                                        SHA512

                                                                                                        3599fa8f2ffe140a8f68ec735810d24a5b367a9a551d620baa6dc611ca755dce1a662bf22b90f842d499d2c9530fb8acd634d1654d5e2c1b319574cbf35eadf7

                                                                                                        Download Submit

                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cag4yi5j.otu.ps1
                                                                                                        Filesize

                                                                                                        60B

                                                                                                        MD5

                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                        SHA1

                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                        SHA256

                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                        SHA512

                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                        Download Submit

                                                                                                      • memory/388-790-0x00000293F4900000-0x00000293F4920000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/388-800-0x00000293F4D00000-0x00000293F4D20000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/388-773-0x0000028BF2800000-0x0000028BF2900000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/388-778-0x00000293F4940000-0x00000293F4960000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/1124-1219-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1236-1109-0x000002742A2A0000-0x000002742A2C0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/1236-1093-0x0000027429C90000-0x0000027429CB0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/1236-1079-0x0000027429CD0000-0x0000027429CF0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/1932-29-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1968-942-0x000001F99D270000-0x000001F99D290000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/1968-952-0x000001F99D880000-0x000001F99D8A0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/1968-930-0x000001F99D2B0000-0x000001F99D2D0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/1968-926-0x000001F99C350000-0x000001F99C450000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/1968-925-0x000001F99C350000-0x000001F99C450000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2092-1221-0x000002A006100000-0x000002A006200000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2092-1220-0x000002A006100000-0x000002A006200000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2092-1225-0x000002A006EE0000-0x000002A006F00000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2092-1249-0x000002A0074C0000-0x000002A0074E0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2092-1237-0x000002A006EA0000-0x000002A006EC0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2236-179-0x00000206DC500000-0x00000206DC600000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2236-204-0x00000206DD9A0000-0x00000206DD9C0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2236-183-0x00000206DD5D0000-0x00000206DD5F0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2236-192-0x00000206DD590000-0x00000206DD5B0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2236-180-0x00000206DC500000-0x00000206DC600000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2236-178-0x00000206DC500000-0x00000206DC600000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2424-57-0x00000250BC320000-0x00000250BC340000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2424-30-0x00000250BAF20000-0x00000250BB020000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2424-35-0x00000250BBF60000-0x00000250BBF80000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2424-44-0x00000250BBF20000-0x00000250BBF40000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2508-1071-0x00000000045C0000-0x00000000045C1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/2752-1367-0x000001E813300000-0x000001E813400000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2848-355-0x00000267735D0000-0x00000267735F0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2848-341-0x0000026772FC0000-0x0000026772FE0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/2848-332-0x0000026772100000-0x0000026772200000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2848-331-0x0000026772100000-0x0000026772200000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/2848-336-0x0000026773200000-0x0000026773220000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/3052-1365-0x0000000004020000-0x0000000004021000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3076-15-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3076-13-0x000001B3CF020000-0x000001B3CF04A000-memory.dmp

                                                                                                        Filesize

                                                                                                        168KB

                                                                                                        Download

                                                                                                      • memory/3076-17-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3076-18-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3076-14-0x000001B3CF020000-0x000001B3CF044000-memory.dmp

                                                                                                        Filesize

                                                                                                        144KB

                                                                                                        Download

                                                                                                      • memory/3076-19-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3076-12-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3076-20-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3076-11-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3076-0-0x00007FFBAD563000-0x00007FFBAD565000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/3076-10-0x000001B3CED80000-0x000001B3CEDA2000-memory.dmp

                                                                                                        Filesize

                                                                                                        136KB

                                                                                                        Download

                                                                                                      • memory/3404-630-0x00000000040B0000-0x00000000040B1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3952-772-0x0000000004620000-0x0000000004621000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/4020-479-0x000002C762300000-0x000002C762400000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/4020-507-0x000002C763A30000-0x000002C763A50000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/4020-480-0x000002C762300000-0x000002C762400000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/4020-496-0x000002C763620000-0x000002C763640000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/4020-484-0x000002C763660000-0x000002C763680000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/4020-481-0x000002C762300000-0x000002C762400000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/4212-329-0x0000000004D60000-0x0000000004D61000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/4244-478-0x0000000004E90000-0x0000000004E91000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/4536-176-0x00000000045C0000-0x00000000045C1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/4736-924-0x0000000004130000-0x0000000004131000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/4764-646-0x0000020F3FA70000-0x0000020F3FA90000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/4764-636-0x0000020F3FAB0000-0x0000020F3FAD0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download

                                                                                                      • memory/4764-631-0x0000020F3EB50000-0x0000020F3EC50000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                        Download

                                                                                                      • memory/4764-658-0x0000020F40080000-0x0000020F400A0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                        Download