Analysis
-
max time kernel
69s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
26-07-2024 00:27
General
-
Target
71e0d248f4ea79121ddeac09be5d1a1b_JaffaCakes118.exe
-
Size
275KB
-
MD5
71e0d248f4ea79121ddeac09be5d1a1b
-
SHA1
3af6abd1fe4d39d2caaf657986087b7c8c02bc75
-
SHA256
aaf2fec22b8addb34eb21ed38646763628cee3ff40bf0053d8ba2cad07cc05b8
-
SHA512
4e2ef14c3a78503dedda50f820711437888bf5814249a1a9fa43bd757e1f269ab396635bb8b1546e076c17f70322e31babfb579dca7e6975ce7c012407ebe57f
-
SSDEEP
6144:j8PUWxaBAOrrh3C4g2AqtLWT0BMJqD8Bc1p6SvABOkaKr:jBiaBXrhSPJqtLWAYZq6RO
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 11 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 16 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\71e0d248f4ea79121ddeac09be5d1a1b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\71e0d248f4ea79121ddeac09be5d1a1b_JaffaCakes118.exe"1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\71e0d248f4ea79121ddeac09be5d1a1b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\71e0d248f4ea79121ddeac09be5d1a1b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\18AE0\78148.exe%C:\Users\Admin\AppData\Roaming\18AE02⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\71e0d248f4ea79121ddeac09be5d1a1b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\71e0d248f4ea79121ddeac09be5d1a1b_JaffaCakes118.exe startC:\Program Files (x86)\E0CE3\lvvm.exe%C:\Program Files (x86)\E0CE32⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\LP\4811\1160.tmp"C:\Program Files (x86)\LP\4811\1160.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\4811\1160.tmpFilesize
97KB
MD59c85bd17493589b355bde43c7816e9df
SHA1aadfffdf9f58ad9340af181513d9d9ae08f886c3
SHA256c4985933ec39f9787a37466153497fb56d3dd43d49909c436362ef488d0587f8
SHA51243a764d9c6681167f7bb393d526255390c3655bf2488e3b0ee0316e88f1d7dbecafaf22a34eb791a48ebbd2b0f1bd4d3cee06e7e82c2ab55d18c77af6e25ce59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
471B
MD54eb8bd2bc530eb9109ff66a5726bf5ad
SHA1e42dbc51ca9c30da7d905090a72b671427598b3c
SHA2561e8c0410131c5a732c88c64b21e530b5dd17683f07b6e80bb0bd2339b6b1a0f8
SHA512dbfdeddf8791878d371f7ad9e8b715326c120a8ec141ab87f6bc4386176d477b76c4c36604644ccea0e6b781014ed9b63113d385e0b5c6adf6e0808ad4f86765
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
420B
MD598ea56cd9b0bb74038c7348a589af596
SHA1918379c44bd7836fc973876b9549359ce6596e0d
SHA25656681950940890d7eed1edb37fac3790be2318aee2a7370747a888844e497468
SHA5126999dd46d3366d091f38a724455f2cdb088e92bc9f729c1ad5ddd76bf726c8870409f37fd559912150384585a1d1846a509a69be8daba2ac54152e8e08f0b411
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD57b810cf9e6571f98ec853ff21e4b648e
SHA140968313dd3c338d5d079ae1b9b2284eabde98a7
SHA2565a3d84d308c90335ceac22dbbc2c0932fc23d5fa2165f2ed8e82a93ce7c6aa9a
SHA512c6e591428ba414bc3fa95b9b67904a80f7beccc05b6c5ed2afa59e0eedea51ef3ab70a1c5f7e995d8084440ad64126f56e6d49244710eab9508dfac209ea92e2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664272719418348.txtFilesize
75KB
MD59cd28ab9709b6b0f22bd49cd94ec2042
SHA16b3c2eaef0391501f024fc7b40960f32184b9080
SHA2561b7a3f33f34246f7e7cafebd60c71ef578cc4ff98702a9284987308ab93aabe8
SHA512cfe384a760d276bb6a7eec743ce8f0e367b3e87b294b013c8a439a209c83402a94c46eeb39906389de948340b163c00b07d18da6c939b8339cbce56de298f16e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HJ7J86Y5\microsoft.windows[1].xmlFilesize
97B
MD5a1d5ffdb726a9647b35792c516a012fc
SHA1ff330c546ecec38f962e90594f70abe2539f23e5
SHA256770d9ad3f136a240e498181127342c8282467e14b6dbe6cad10b20c5cba1ec09
SHA512ead7820a41f5e5e31b2b0b1c0b6bd441899b57fe549f685edda664272ef75e58e4598f2fe4d595bde1cb8c54aa244dda8577f3c10c66b49cc8c1815df02a6a94
-
C:\Users\Admin\AppData\Roaming\18AE0\0CE3.8AEFilesize
1KB
MD56f0d46cc4967be800f657b916172c34f
SHA13cd31413b93caae1b1105d09d0c1f7de4bdd6a46
SHA2560f07d92d79ebf741ba247c234626bc96edbe9b2d4b89ab6680ba2331e9d773d5
SHA512b1569c6a080ffb3593d1f562ed63663593cca652514726de114ddf4d04aaf9bbe4a84e6e89cf5f978383883d6ce6d88ab389992f94ccd2ddf1086a7504832957
-
C:\Users\Admin\AppData\Roaming\18AE0\0CE3.8AEFilesize
696B
MD596cefb2bce8fd07b83c278fee9c1039e
SHA1eea3005c921e5c6a9c3ce29b201bffaacefdfa69
SHA25693dcdd0e3ff62bbd7b3451523af75a5836be2dadee232686003b29cb7cc36b3e
SHA512ae5043246996166a3ea207e50a7bb209b0dddd0c3a57b169cdcf42c9335d8437121a13eadd9879afb2360092dce9e66ee8648a8d18355069861eec26d14676c2
-
C:\Users\Admin\AppData\Roaming\18AE0\0CE3.8AEFilesize
300B
MD5736b7fefcdf3db9b0d3c6f813a084c50
SHA1f367452fa3edcca31f5494a04e9025e6207f1d37
SHA256dae76c51e641e2c066230cd08bba2631d0a6347beda45442f3f940be7492ceda
SHA512fc10d7ca83f4d46798d13532c3d9dcd12bf7b43d645175085297c23d43a9760c2a8fdff97973247261d2d919fdb661a7665043e761689b2ccf245c7f99b1b8cf
-
C:\Users\Admin\AppData\Roaming\18AE0\0CE3.8AEFilesize
1KB
MD5bf5e0c041982480bdcdeb6be9280ace4
SHA103677c9ce17d0072e82fa0b587770bb4db96ca77
SHA25673f849d04e4b688a0ab8688619a10c06be153374c7dd2585e9def11e460fb47c
SHA5128f0cafb0083471ad2b587d1f3e9214ab8392952eece6039a8be5bc004646ff8b5d767110cc757b1d354a9010f72b501c7ff1a2aea02f29eabdd926342fd427fa
-
memory/228-276-0x000002ACA49A0000-0x000002ACA49C0000-memory.dmpFilesize
128KB
-
memory/228-260-0x000002ACA4590000-0x000002ACA45B0000-memory.dmpFilesize
128KB
-
memory/228-246-0x000002A4A2500000-0x000002A4A2600000-memory.dmpFilesize
1024KB
-
memory/228-251-0x000002ACA45D0000-0x000002ACA45F0000-memory.dmpFilesize
128KB
-
memory/736-873-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/1736-1020-0x000001C34A800000-0x000001C34A900000-memory.dmpFilesize
1024KB
-
memory/1736-1025-0x000001C34B890000-0x000001C34B8B0000-memory.dmpFilesize
128KB
-
memory/1736-1044-0x000001C34BC60000-0x000001C34BC80000-memory.dmpFilesize
128KB
-
memory/1736-1031-0x000001C34B850000-0x000001C34B870000-memory.dmpFilesize
128KB
-
memory/1736-1021-0x000001C34A800000-0x000001C34A900000-memory.dmpFilesize
1024KB
-
memory/1812-12-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1812-11-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1812-13-0x00000000006A2000-0x00000000006C3000-memory.dmpFilesize
132KB
-
memory/1968-728-0x000002874D500000-0x000002874D600000-memory.dmpFilesize
1024KB
-
memory/1968-729-0x000002874D500000-0x000002874D600000-memory.dmpFilesize
1024KB
-
memory/1968-760-0x000002874E9F0000-0x000002874EA10000-memory.dmpFilesize
128KB
-
memory/1968-745-0x000002874E3E0000-0x000002874E400000-memory.dmpFilesize
128KB
-
memory/1968-733-0x000002874E620000-0x000002874E640000-memory.dmpFilesize
128KB
-
memory/2088-1349-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/2144-417-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/2488-1152-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/2756-1170-0x000001AF89130000-0x000001AF89150000-memory.dmpFilesize
128KB
-
memory/2756-1158-0x000001AF89170000-0x000001AF89190000-memory.dmpFilesize
128KB
-
memory/2756-1153-0x000001AF88000000-0x000001AF88100000-memory.dmpFilesize
1024KB
-
memory/2756-1154-0x000001AF88000000-0x000001AF88100000-memory.dmpFilesize
1024KB
-
memory/2756-1155-0x000001AF88000000-0x000001AF88100000-memory.dmpFilesize
1024KB
-
memory/2756-1182-0x000001AF89540000-0x000001AF89560000-memory.dmpFilesize
128KB
-
memory/3128-1018-0x0000000002BE0000-0x0000000002BE1000-memory.dmpFilesize
4KB
-
memory/3284-1351-0x0000019A1ED00000-0x0000019A1EE00000-memory.dmpFilesize
1024KB
-
memory/3504-879-0x0000022110D00000-0x0000022110D20000-memory.dmpFilesize
128KB
-
memory/3504-876-0x000002210FC00000-0x000002210FD00000-memory.dmpFilesize
1024KB
-
memory/3504-911-0x00000221110D0000-0x00000221110F0000-memory.dmpFilesize
128KB
-
memory/3504-887-0x00000221109C0000-0x00000221109E0000-memory.dmpFilesize
128KB
-
memory/3504-875-0x000002210FC00000-0x000002210FD00000-memory.dmpFilesize
1024KB
-
memory/3504-874-0x000002210FC00000-0x000002210FD00000-memory.dmpFilesize
1024KB
-
memory/3708-242-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/4056-726-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/4156-609-0x0000024F06B00000-0x0000024F06B20000-memory.dmpFilesize
128KB
-
memory/4156-589-0x0000024F064E0000-0x0000024F06500000-memory.dmpFilesize
128KB
-
memory/4156-580-0x0000024F06520000-0x0000024F06540000-memory.dmpFilesize
128KB
-
memory/4156-575-0x0000024F04700000-0x0000024F04800000-memory.dmpFilesize
1024KB
-
memory/4196-571-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4196-3-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4196-9-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4196-122-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4196-2-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4196-126-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4196-0-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4248-245-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/4548-419-0x000001FB11C00000-0x000001FB11D00000-memory.dmpFilesize
1024KB
-
memory/4548-420-0x000001FB11C00000-0x000001FB11D00000-memory.dmpFilesize
1024KB
-
memory/4548-424-0x000001FB12D60000-0x000001FB12D80000-memory.dmpFilesize
128KB
-
memory/4548-439-0x000001FB12D20000-0x000001FB12D40000-memory.dmpFilesize
128KB
-
memory/4548-456-0x000001FB13130000-0x000001FB13150000-memory.dmpFilesize
128KB
-
memory/4736-574-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/4856-125-0x00000000005D4000-0x00000000005F5000-memory.dmpFilesize
132KB
-
memory/4856-124-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/5068-570-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB