Analysis
-
max time kernel
69s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 09:41
General
-
Target
fc7753f0a25e73313c112e950f4dcb82_JaffaCakes118.exe
-
Size
274KB
-
MD5
fc7753f0a25e73313c112e950f4dcb82
-
SHA1
7bda237901f113c26d8ea2484fa7836d024734b2
-
SHA256
2035d6db87e2c859d451ce356d44e6e582c9f890253f2f0215496b4243f21a24
-
SHA512
d60fac34066470eabe75753ac083484f0973fe48c5ba9bbfcfbbaea415999c36d3dc4e1a41fd26bf9a7447ff67e12ac3a2a84cb2e4cdcb6eec4cbb2814215a7a
-
SSDEEP
6144:wjAbNIifXBAhxdI0Bb9682kNJIWQSv+F35pm:wj3if2hxmMb96pkfvsF3
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 12 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 16 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc7753f0a25e73313c112e950f4dcb82_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc7753f0a25e73313c112e950f4dcb82_JaffaCakes118.exe"1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\fc7753f0a25e73313c112e950f4dcb82_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fc7753f0a25e73313c112e950f4dcb82_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\0E619\9EC7D.exe%C:\Users\Admin\AppData\Roaming\0E6192⤵
-
C:\Users\Admin\AppData\Local\Temp\fc7753f0a25e73313c112e950f4dcb82_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fc7753f0a25e73313c112e950f4dcb82_JaffaCakes118.exe startC:\Program Files (x86)\19312\lvvm.exe%C:\Program Files (x86)\193122⤵
-
C:\Program Files (x86)\LP\7DB0\BD16.tmp"C:\Program Files (x86)\LP\7DB0\BD16.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\7DB0\BD16.tmpFilesize
97KB
MD5fa101a64c2b8a30352bcf59bc18e32b4
SHA104279a841b85fad0c2a362693a2ddd976c850089
SHA256fa59f58dccce3e5b13ef18ba48843d86caaf16813f1afd133bc9405350a152f1
SHA512484caf3d360ca5e8e251fe0186064dd133a7cb6c2d313bc505adc6a2ac1efe8dc9cf54c2a9bd5d670b7f49b34499a8b7d2ae277b5da426115305c39c4a367553
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5f3945b57f0f3c105bd40af2901e4822a
SHA193dabbe9a560f3d59ad8ce8d5dc941909fe21ec1
SHA25660ede5fc5d4e90f27afe2e8c8a14ebb0cf75df70ad29f8524f4b748a04203d39
SHA512212a88efd8a79e9b20aa86c83cb3f05e093a9233e4eb7e2d1064c599c8bbb5085b8ef45433d4d6266f80604af3d1e0a29dbbfbe124c5e18710ddb76b1ad2de0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5c0ff7fb920bd086f0e5c313e1ef1c5b5
SHA1930de4095ab2736c77b8f04f564f4eb88d3649c1
SHA25659a2d6c0afd76a6a56ac95eabf96c7456f70e84be240478a8abe41e50ffa0d28
SHA512694b2b970d0dc9454f7c50cc36944bf79ee1acac47441852c9aaf0ce64837d7d0e89eae50eea6a33fbbd0286bc570baf1174a1f01c4f3080ee2b85834bad90ff
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15Filesize
36KB
MD50e2a09c8b94747fa78ec836b5711c0c0
SHA192495421ad887f27f53784c470884802797025ad
SHA2560c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36
SHA51261530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9WJOX3RG\microsoft.windows[1].xmlFilesize
97B
MD57131cfa66caca1ddbd240f6d7439e730
SHA18575e548f01c9044edefe6f41ce0a2b8814f8af2
SHA2568deac6a02c099937736735d7b435e518fc86c7a0f175b7e012a8845e2da836ac
SHA512d310f029ee1670e78b015ec6a96371ae1f4d4a770141008a49ced78e7f30bddef5a522449dea39d4591baa4f40117b5b7e2fcd09c7b5661d16e6fe73effb7a78
-
C:\Users\Admin\AppData\Roaming\0E619\9312.E61Filesize
600B
MD58f403fe074db7d431af84d4abc4003ab
SHA11eeb87b8b007289f14ef2f9a94aed71d34c0a640
SHA2563cf4d370edf8b189b28f586cbe4bd7d0d8932e4f860a0af1a777c1910e80a346
SHA5125f598410ede889f2e331918cd8fa990012224eff634323d1ea8ea8ef57d09a6d3871e9b202178f0a2e7372a10350adb0597dad74a3f7817e2a16a83349168c7f
-
C:\Users\Admin\AppData\Roaming\0E619\9312.E61Filesize
996B
MD59485e9893eb285aaaa1284d9fbee2fd0
SHA1eeea6d4019301b314e841647cc32cff603df4239
SHA256eab67623c845491b3c8ab985c59dec8f37db7d0c8213bf303760e84df24d4a86
SHA51240de9f270816d87a1998206934c5bbb993d8cad80cd70c4750fab40a364a72a44a59520681bb37f481d984173e1248ab2dd349b77f798a9dba0a5ce1efc7bda4
-
C:\Users\Admin\AppData\Roaming\0E619\9312.E61Filesize
1KB
MD59949e9c9fec3dc49a18a893d7357ef55
SHA12b0938e1f0ec69ed573f702f39a9b6b4c335e8a0
SHA256031b47f1b00de0abeb2ce8c4c1103a64d78c445b3c696f633c878585892b9059
SHA51267d9bc00d435713732ecd42e37f48a1551b429b57c0976c407f554a72f1d87ff71efc6f0d1a7492d174351de7cb4b68ac42e7785314a1b3780cf543fa6b87107
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/516-316-0x0000019FE2D10000-0x0000019FE2D30000-memory.dmpFilesize
128KB
-
memory/516-312-0x0000019FE2940000-0x0000019FE2960000-memory.dmpFilesize
128KB
-
memory/516-314-0x0000019FE2900000-0x0000019FE2920000-memory.dmpFilesize
128KB
-
memory/628-388-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/668-528-0x0000000004200000-0x0000000004201000-memory.dmpFilesize
4KB
-
memory/1420-503-0x0000000004860000-0x0000000004861000-memory.dmpFilesize
4KB
-
memory/1488-456-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1884-179-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1884-478-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1884-185-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1884-74-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1884-0-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1884-2-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1884-386-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2616-432-0x00000000036A0000-0x00000000036A1000-memory.dmpFilesize
4KB
-
memory/3484-360-0x00000000045D0000-0x00000000045D1000-memory.dmpFilesize
4KB
-
memory/3592-396-0x000002A9B1840000-0x000002A9B1860000-memory.dmpFilesize
128KB
-
memory/3592-400-0x000002A9B1C10000-0x000002A9B1C30000-memory.dmpFilesize
128KB
-
memory/3592-398-0x000002A9B1800000-0x000002A9B1820000-memory.dmpFilesize
128KB
-
memory/3704-593-0x0000000004220000-0x0000000004221000-memory.dmpFilesize
4KB
-
memory/3756-305-0x0000000003120000-0x0000000003121000-memory.dmpFilesize
4KB
-
memory/3788-411-0x0000000002F00000-0x0000000002F01000-memory.dmpFilesize
4KB
-
memory/3888-513-0x00000183C8650000-0x00000183C8670000-memory.dmpFilesize
128KB
-
memory/3888-515-0x00000183C8C60000-0x00000183C8C80000-memory.dmpFilesize
128KB
-
memory/3888-511-0x00000183C8690000-0x00000183C86B0000-memory.dmpFilesize
128KB
-
memory/4004-492-0x000001C7E8C30000-0x000001C7E8C50000-memory.dmpFilesize
128KB
-
memory/4004-490-0x000001C7E8820000-0x000001C7E8840000-memory.dmpFilesize
128KB
-
memory/4004-488-0x000001C7E8860000-0x000001C7E8880000-memory.dmpFilesize
128KB
-
memory/4008-480-0x0000000004040000-0x0000000004041000-memory.dmpFilesize
4KB
-
memory/4404-538-0x0000028C2BF00000-0x0000028C2BF20000-memory.dmpFilesize
128KB
-
memory/4404-536-0x0000028C2BF40000-0x0000028C2BF60000-memory.dmpFilesize
128KB
-
memory/4404-540-0x0000028C2C310000-0x0000028C2C330000-memory.dmpFilesize
128KB
-
memory/4468-181-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4468-182-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4468-183-0x00000000006F0000-0x00000000007F0000-memory.dmpFilesize
1024KB
-
memory/4856-76-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4856-78-0x0000000000660000-0x0000000000760000-memory.dmpFilesize
1024KB
-
memory/4856-358-0x0000000000660000-0x0000000000760000-memory.dmpFilesize
1024KB
-
memory/5104-572-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/5152-347-0x0000016F70380000-0x0000016F703A0000-memory.dmpFilesize
128KB
-
memory/5152-351-0x0000016F70750000-0x0000016F70770000-memory.dmpFilesize
128KB
-
memory/5152-349-0x0000016F70340000-0x0000016F70360000-memory.dmpFilesize
128KB
-
memory/5232-562-0x000001DF8B060000-0x000001DF8B080000-memory.dmpFilesize
128KB
-
memory/5232-560-0x000001DF8B0A0000-0x000001DF8B0C0000-memory.dmpFilesize
128KB
-
memory/5232-564-0x000001DF8B470000-0x000001DF8B490000-memory.dmpFilesize
128KB
-
memory/5244-444-0x0000024CD0FA0000-0x0000024CD0FC0000-memory.dmpFilesize
128KB
-
memory/5244-440-0x0000024CD0BD0000-0x0000024CD0BF0000-memory.dmpFilesize
128KB
-
memory/5244-442-0x0000024CD0B90000-0x0000024CD0BB0000-memory.dmpFilesize
128KB
-
memory/5560-423-0x0000025E3CE80000-0x0000025E3CEA0000-memory.dmpFilesize
128KB
-
memory/5560-419-0x0000025E3C8B0000-0x0000025E3C8D0000-memory.dmpFilesize
128KB
-
memory/5560-421-0x0000025E3C870000-0x0000025E3C890000-memory.dmpFilesize
128KB
-
memory/5568-339-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/5840-466-0x000001A36DF70000-0x000001A36DF90000-memory.dmpFilesize
128KB
-
memory/5840-464-0x000001A36DFB0000-0x000001A36DFD0000-memory.dmpFilesize
128KB
-
memory/5840-468-0x000001A36E380000-0x000001A36E3A0000-memory.dmpFilesize
128KB
-
memory/5876-373-0x000001C8F9D70000-0x000001C8F9D90000-memory.dmpFilesize
128KB
-
memory/5876-375-0x000001C8FA230000-0x000001C8FA250000-memory.dmpFilesize
128KB
-
memory/5876-371-0x000001C8F9DB0000-0x000001C8F9DD0000-memory.dmpFilesize
128KB
-
memory/5888-366-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5888-385-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5888-370-0x0000000000690000-0x0000000000790000-memory.dmpFilesize
1024KB
-
memory/5984-552-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/6044-580-0x00000262E2140000-0x00000262E2160000-memory.dmpFilesize
128KB
-
memory/6044-582-0x00000262E2100000-0x00000262E2120000-memory.dmpFilesize
128KB
-
memory/6044-584-0x00000262E2510000-0x00000262E2530000-memory.dmpFilesize
128KB