Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e88ac90819...18.exe

windows7-x64

10

e88ac90819...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2024, 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e88ac908199e74958e0f6d4412760b87_JaffaCakes118.exe

  • Size

    279KB

  • MD5

    e88ac908199e74958e0f6d4412760b87

  • SHA1

    814ebeaa37736b7dd23b7a92b4093b54e8aa9a89

  • SHA256

    d380d48ca3036eb5d99453cb17ae6f3afb0aeea85786e14198bdd182a0182f8e

  • SHA512

    1b1c766e97225b37555c4f1a0bda1d0ea4444daf13c5f994a9f3f9690b9ad7e165a3d7baec8cca2771008e4c68bb8dfbab71a6bf485df065619e92f6348a2c90

  • SSDEEP

    6144:m7O00l65RAHqjeEnoz5OEKS64y5eUSqX5kdpfkQr7ZBfE9M:m75RGgdoz5LDsOddkUBc9M

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 17 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 34 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e88ac908199e74958e0f6d4412760b87_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e88ac908199e74958e0f6d4412760b87_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4688
    • C:\Users\Admin\AppData\Local\Temp\e88ac908199e74958e0f6d4412760b87_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e88ac908199e74958e0f6d4412760b87_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\8EF44\92B8D.exe%C:\Users\Admin\AppData\Roaming\8EF44
      2⤵
        PID:1972
      • C:\Users\Admin\AppData\Local\Temp\e88ac908199e74958e0f6d4412760b87_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\e88ac908199e74958e0f6d4412760b87_JaffaCakes118.exe startC:\Program Files (x86)\44954\lvvm.exe%C:\Program Files (x86)\44954
        2⤵
          PID:964
        • C:\Program Files (x86)\LP\8DF8\BE9D.tmp
          "C:\Program Files (x86)\LP\8DF8\BE9D.tmp"
          2⤵
          • Executes dropped EXE
          PID:2392
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1944
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2908
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2644
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4524
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:972
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2368
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4124
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2628
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:4180
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3692
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2372
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3620
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4304
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3592
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        PID:3120
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4692
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1060
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1980
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3756
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1404
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4424
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4048
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2548
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1576
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:5096
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3844
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        PID:5104
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2912
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3736
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3972
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4844
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:468
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3632
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:656
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4552
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4044
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2676
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2896
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3224
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3468
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3652
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4764
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4968
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2144
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3664
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3632
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1652
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        PID:4424
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:1576
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:4272
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:1072
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:4024
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:1848
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:464
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:2240
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:2748

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files (x86)\LP\8DF8\BE9D.tmp
                        Filesize

                        99KB

                        MD5

                        cb853d0e676be7b23903aa89175d8d69

                        SHA1

                        2066462d42c45133df60c5e5f9e8956373d191b0

                        SHA256

                        7291b34528651c542a4e09036bb828f27c9f75c134d2be3aed3e1c5a0db5fe20

                        SHA512

                        bf96f4c8511929ef380562004211a72821330465538db6da3367cbce387092384265e0bfd4ab54e62b742d68d668ff1457f43381d7a770fd3027f3bab1f36038

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                        Filesize

                        471B

                        MD5

                        8ec251d79a4e68a12bd95f0b8f336e63

                        SHA1

                        eb5ab5e546727ff28e5e2114fe4ea1ced1955bbd

                        SHA256

                        a78b91b641485c715c6bbf7ba95c9a689385c97cd56677afd7080a99e381ec0e

                        SHA512

                        554700082f62302b6fb0e7a30c055fa5e5d0b956433476b05e1321ffa96e8a4631d67b0d9534425c64ca7f21ebd672f4f0e2b544fe4859b6a5209112b86008a8

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                        Filesize

                        412B

                        MD5

                        05de0fee36c91ae413ffd34d6daf65ce

                        SHA1

                        5610cc92e4644dbc841a83250c90a395777304e9

                        SHA256

                        808e3e93985ee83c97c67e185214a278b01a66fb914441609a3866713e7add38

                        SHA512

                        1c377c81036e8193e386ea088e749097acc5ca2d0de767f608e053d9e162714238b469d89c80f4c266a82f8ecb92bc152dd516f2f8965430c4b747283965fdd6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S6429SHP\microsoft.windows[1].xml
                        Filesize

                        97B

                        MD5

                        7e39acb1017053b924cf303370a12e55

                        SHA1

                        9c440dcafded082c00184b9b56e227028d055085

                        SHA256

                        b869cba3bf0e6ac6a65964e24a354bb1a787cb2c72db5da939e5a077d7848209

                        SHA512

                        895d599af4410d14543a699ecb70555a7ce606d9550c220b715ba1d8c6ef9e24b715c983499a162a222fdaa474dfdee1ad016b47b831e72acc994bd7c53dba1c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\8EF44\4954.EF4
                        Filesize

                        600B

                        MD5

                        c0f8a02cbe7946e5354b62417a918059

                        SHA1

                        350d2c23745ff060c4256f06d1e6a1eb5c7ceca9

                        SHA256

                        dc542e4a2178167c4b8c340a898176cd37a6c2c7d75050dcfcafede695e7748c

                        SHA512

                        002ee599c9e5e6ffe8bf93e544c4137c349ffde555f8ea27543df4dc59dbe8d6ec64ec8fe4bbc33b276428d97472872318634930a2e717c59161a82545d4eb4f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\8EF44\4954.EF4
                        Filesize

                        1KB

                        MD5

                        fa6bd5fc5b841c14089034d6c88b1b24

                        SHA1

                        f512914f675916ebb6e421d83bf17cfb827b1d03

                        SHA256

                        1488873ea027a3f42d92bce2cb646f5a693fa32563bb12dbfc8164183d10ee13

                        SHA512

                        665a37f22114326708ebee16d10f66a8eb7ec20fa9a2b1263cf299e8d8ec55e64631274b98158f345f6312b2f45993dae28a83ec0e6eb23f505c99b78827e72a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\8EF44\4954.EF4
                        Filesize

                        996B

                        MD5

                        1696ca7079038bd9b330b1015805ae3b

                        SHA1

                        0794f2e9e500702a01cc082cf6079e93259ea583

                        SHA256

                        1ec409065506bd182df19ca62763201167101910eae7f93bd9d5463504cd96a9

                        SHA512

                        4288344fba233c9160b320acfa1714eae41a21005666991b286c5effb3f760a23e79a2500c459efd4327d0624e90e0ca34ca6d928f803c0c2ef672d5cbf4e86f

                        Download Submit

                      • memory/468-393-0x000001FA92400000-0x000001FA92420000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/468-395-0x000001FA923C0000-0x000001FA923E0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/468-397-0x000001FA927D0000-0x000001FA927F0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/964-83-0x00000000004F0000-0x00000000005F0000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/964-82-0x0000000000400000-0x000000000046B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/964-278-0x00000000004F0000-0x00000000005F0000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/1060-289-0x0000020AE1880000-0x0000020AE18A0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1060-291-0x0000020AE1EA0000-0x0000020AE1EC0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1060-287-0x0000020AE18C0000-0x0000020AE18E0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1404-311-0x0000021DA8E20000-0x0000021DA8E40000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1404-315-0x0000021DA91E0000-0x0000021DA9200000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1404-313-0x0000021DA8BD0000-0x0000021DA8BF0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1576-345-0x0000000004E00000-0x0000000004E01000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1972-215-0x00000000005E0000-0x00000000006E0000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/1972-13-0x0000000000400000-0x000000000046B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/1972-14-0x00000000005E0000-0x00000000006E0000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/1980-304-0x0000000004580000-0x0000000004581000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2144-491-0x000001CA77020000-0x000001CA77040000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2144-487-0x000001CA76C60000-0x000001CA76C80000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2144-489-0x000001CA76C20000-0x000001CA76C40000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2368-193-0x00000000037A0000-0x00000000037A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2372-235-0x000002FA47C80000-0x000002FA47CA0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2372-237-0x000002FA47C40000-0x000002FA47C60000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2372-239-0x000002FA48050000-0x000002FA48070000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2392-251-0x0000000000400000-0x000000000041C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/2392-253-0x0000000000400000-0x000000000041C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/2392-252-0x00000000004E0000-0x00000000005E0000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/2548-331-0x00000254F3E40000-0x00000254F3E60000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2548-333-0x00000254F3E00000-0x00000254F3E20000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2548-335-0x00000254F4200000-0x00000254F4220000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2628-200-0x0000029DE6060000-0x0000029DE6080000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2628-205-0x0000029DE6430000-0x0000029DE6450000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2628-202-0x0000029DE6020000-0x0000029DE6040000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2896-440-0x000001B85DD20000-0x000001B85DD40000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2896-442-0x000001B85D9D0000-0x000001B85D9F0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2896-444-0x000001B85E0E0000-0x000001B85E100000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3120-279-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3224-456-0x0000000002960000-0x0000000002961000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3592-266-0x000002D08C820000-0x000002D08C840000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3592-264-0x000002D08C420000-0x000002D08C440000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3592-262-0x000002D08C460000-0x000002D08C480000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3620-254-0x00000000049F0000-0x00000000049F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3632-408-0x0000000004740000-0x0000000004741000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3652-463-0x00000205A3460000-0x00000205A3480000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3652-465-0x00000205A3420000-0x00000205A3440000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3652-467-0x00000205A3820000-0x00000205A3840000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3736-372-0x000001E128A70000-0x000001E128A90000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3736-374-0x000001E128A30000-0x000001E128A50000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3736-376-0x000001E128E40000-0x000001E128E60000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3844-352-0x0000023811A40000-0x0000023811A60000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3844-354-0x0000023811A00000-0x0000023811A20000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3844-356-0x0000023811E10000-0x0000023811E30000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3972-385-0x00000000033D0000-0x00000000033D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4044-432-0x0000000004120000-0x0000000004121000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4180-228-0x0000000004E60000-0x0000000004E61000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4424-323-0x0000000004360000-0x0000000004361000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4552-418-0x0000019C1D840000-0x0000019C1D860000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/4552-421-0x0000019C1DC90000-0x0000019C1DCB0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/4552-416-0x0000019C1D880000-0x0000019C1D8A0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/4688-384-0x0000000000400000-0x000000000046B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/4688-12-0x0000000000400000-0x000000000046B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/4688-2-0x00000000004C0000-0x00000000005C0000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/4688-80-0x0000000000400000-0x000000000046B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/4688-123-0x00000000004C0000-0x00000000005C0000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/4688-1-0x0000000000400000-0x000000000046B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/4688-276-0x0000000000400000-0x000000000046B000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/4764-479-0x0000000004490000-0x0000000004491000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5104-364-0x0000000004820000-0x0000000004821000-memory.dmp

                        Filesize

                        4KB

                        Download