Analysis
-
max time kernel
55s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
26-07-2024 18:52
General
-
Target
7549fe42cffb0adeb13cc91b2540d6b1_JaffaCakes118.exe
-
Size
272KB
-
MD5
7549fe42cffb0adeb13cc91b2540d6b1
-
SHA1
1b73c5253ff1a49ac78d60858df5d1c749b650df
-
SHA256
2b81ed549fbe39010b355378886480a3481fdda28ab4807e63ccffe0395434f1
-
SHA512
732a65e6b8854309e0ad56b9be61887905467f5be3a26736fd9bb60710da25e6eb27cc8400c156fa893c48f25bd5834d705b9a08d0847fb4c41569add7769d91
-
SSDEEP
6144:s8U2YYy2qPNNOJLNPsfJW/Q4DL+G13+0gyuyifHZizZbBhgDDAXSyjOZ:FX5yHNNOJLNURWlSG1u0tuyyipDgDkdo
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7549fe42cffb0adeb13cc91b2540d6b1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7549fe42cffb0adeb13cc91b2540d6b1_JaffaCakes118.exe"1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\7549fe42cffb0adeb13cc91b2540d6b1_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7549fe42cffb0adeb13cc91b2540d6b1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\ABA88\4514C.exe%C:\Users\Admin\AppData\Roaming\ABA882⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7549fe42cffb0adeb13cc91b2540d6b1_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7549fe42cffb0adeb13cc91b2540d6b1_JaffaCakes118.exe startC:\Program Files (x86)\886FF\lvvm.exe%C:\Program Files (x86)\886FF2⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\LP\4C4A\15A6.tmp"C:\Program Files (x86)\LP\4C4A\15A6.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\4C4A\15A6.tmpFilesize
96KB
MD53e46f83109b96666a6e103dc91e37761
SHA1e0c1c8f9912707fb79edbe14feb9e27a0b3b3214
SHA256b300587e7b45f428cdbfdff40072a4fd40ccb0411821eff3c2d78bad6a2fcf6c
SHA51271e19e0d9ae5e7d2502e0a6affbbe9a36fa594a4dc3f6343b29aeb7f041b624e11a82f86c1cfe185d7faa8abd3666419e0f10176fa35696031a0dffe6c91adbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
471B
MD58fff048a7c06082010b89d293f839718
SHA17522f573e742c250340a225b644c53eed1efeb4d
SHA256f262436c723d73cf516b6f95cb59e289841e9c8a4141b098d8a3a92bd27ca0d1
SHA51265c1f1f98ad28d5e9bac8e0d58936b11a3e7944a5c2e53f38089055aab2148ba9c5278a5b7da7efd266da3154cc2cc5dcad5549da575fb2d7f11b4a9d54ad0f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
420B
MD5c9481d3d9fcf9e26025960aa609f52ac
SHA1250c4aa4b129920dbfca865b7bb23a8f3aaf780c
SHA25651721c82d43d9f1176ff973b2bff4486574ff1e1beedd2a09b852838e8d9d374
SHA5122233b8c4d1d694ff1e581306285e40c8477de2fefe5a08607d6640e9efc25c50560928b97ba06ea810572dc4831fd53dc3038ff7ec0df7ca918c865458457b96
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD5f46ae1505a5f9b8e3d9d0d8371dbb556
SHA1039f132458eaf2a218e96637a137559c0c879ec0
SHA256a19cfae91c8100a944a6bec0245a301618ce94bc4cbeee813eef0b08652c8539
SHA512220187ac5873f12bf3ee0b5bd3fc2e6651a2c429df32a3f60ac173a8adc40c2495c475e74dfd4ba4369d8d31cad3b514a6cc6979f82b13eab53a85954036333d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___docs_oracle_com_javase_8_docsFilesize
36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133665088588377608.txtFilesize
75KB
MD5fc52a1c2c7b6f8daf96a40e9b2e9ed98
SHA142a30eff7bed39352d6c25b56c67fa50344efce2
SHA256c2500a0e4760dbe781fddb3580fef09a528b792cfebe8f008c52457d957238ab
SHA512f26fbd8399af11279b61c11cb4c19c6a85e67a5593f09431ed526ab9572d709bb60fc171e728b0a639b6f4bee8ca8d95169a381e7521888dac18d00e8eeba24c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\IPWDBVC8\microsoft.windows[1].xmlFilesize
97B
MD52065215028a7b049f3c2fb76ba1546ba
SHA193635d3fb4aad5e8c7e0e587aaf361e4fea59d15
SHA256eb95953230a3e16e917b8d37b9ec78ff50b28b0467cbff3774aa8b96cb13aa60
SHA512c2f97a1ebc3a5a3f98eea57b7f8e4c73ba452581ba905eab90395640fdc5c34d0bab07307a250543c424d5d44e7549724ff5c8e3958eeb1583426613eb68d0ad
-
C:\Users\Admin\AppData\Roaming\ABA88\86FF.BA8Filesize
596B
MD5aa97fddd3d3228bf0e5d7c6b8a37fd91
SHA1ce6cf6238291312ff02365dd8659d85f244c3fe2
SHA2561cf8327ad6f4ae259eaf6b720aa1c308dcf0f36c4b1b5dafa235379b6de1f1fb
SHA512a0e366e39ec7dd1137d59d158594c59613802c7bb8f67b7ef3380b4f8eeb352a008f3615a56f19141b7b16820d37accb1589ebba8648e219a2a0332dfa8c4ee0
-
C:\Users\Admin\AppData\Roaming\ABA88\86FF.BA8Filesize
996B
MD5430b19c4910665c08f77bd218974e5ee
SHA187ff52e3a76533f333b93bec24275b556a89c8f2
SHA256f8685a8d652be26434f5239617c04f0e2ebaf80d71a781268c73afb501eeabfe
SHA5124fce1de71cb2e933e1e68d389f79399fd865c19f65edebab670d3a34af3643bd41a569c1bb6ff1ab04d032d7a6c6524b46c7d9bc0b23790b269fde8a11739f49
-
C:\Users\Admin\AppData\Roaming\ABA88\86FF.BA8Filesize
600B
MD558a8288628ffc80958ab6161d4713156
SHA15f571d4c543689c5f3f2b17a782d7dbed749d1c5
SHA25624080ed9cd9fd2571d855cb38794ebe6736bc19447c9520da46aa092f8856a6f
SHA512226aee063b3e4afc02ee7d13198d27f0b2b25ab99d1f27cd82cdaf3cf22799a85f5a2fcf0f04c6e7cffecb8ab2d8a9b007b08e2246dae01de1edf5f170afdac4
-
C:\Users\Admin\AppData\Roaming\ABA88\86FF.BA8Filesize
1KB
MD532f20d4ecaa898b86f90a88611ec902c
SHA1d0230915e603e2935f405c4e6ec1ce47a6728471
SHA25614c678e6ee6c17f836cd6df2926b34884b76aab50cb4d1ea2e6132f874f5ba7b
SHA5124c9a6916c4bb97cecc65b802d25b089f83d005f035789bb83e0794367d93c4322bb90746fa17df6646702068c74be0abc79d29dcf95b8e97ac3b3d7960b39441
-
memory/372-132-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/548-613-0x0000000004330000-0x0000000004331000-memory.dmpFilesize
4KB
-
memory/1556-1080-0x000001F198020000-0x000001F198040000-memory.dmpFilesize
128KB
-
memory/1556-1065-0x000001F196F00000-0x000001F197000000-memory.dmpFilesize
1024KB
-
memory/1556-1102-0x000001F198420000-0x000001F198440000-memory.dmpFilesize
128KB
-
memory/1556-1066-0x000001F196F00000-0x000001F197000000-memory.dmpFilesize
1024KB
-
memory/1556-1070-0x000001F198060000-0x000001F198080000-memory.dmpFilesize
128KB
-
memory/1684-16-0x000000000076D000-0x000000000078B000-memory.dmpFilesize
120KB
-
memory/1684-17-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2148-479-0x000001FAAAC00000-0x000001FAAAC20000-memory.dmpFilesize
128KB
-
memory/2148-489-0x000001FAAB000000-0x000001FAAB020000-memory.dmpFilesize
128KB
-
memory/2148-468-0x000001FAAAC40000-0x000001FAAAC60000-memory.dmpFilesize
128KB
-
memory/2360-301-0x000001413E000000-0x000001413E100000-memory.dmpFilesize
1024KB
-
memory/2360-317-0x000001413ED20000-0x000001413ED40000-memory.dmpFilesize
128KB
-
memory/2360-332-0x000001413F540000-0x000001413F560000-memory.dmpFilesize
128KB
-
memory/2360-299-0x000001413E000000-0x000001413E100000-memory.dmpFilesize
1024KB
-
memory/2360-304-0x000001413ED60000-0x000001413ED80000-memory.dmpFilesize
128KB
-
memory/2372-1217-0x0000016E44720000-0x0000016E44820000-memory.dmpFilesize
1024KB
-
memory/2372-1216-0x0000016E44720000-0x0000016E44820000-memory.dmpFilesize
1024KB
-
memory/2372-1221-0x0000016E45870000-0x0000016E45890000-memory.dmpFilesize
128KB
-
memory/2372-1232-0x0000016E45830000-0x0000016E45850000-memory.dmpFilesize
128KB
-
memory/2372-1253-0x0000016E45C40000-0x0000016E45C60000-memory.dmpFilesize
128KB
-
memory/2396-1063-0x00000000033B0000-0x00000000033B1000-memory.dmpFilesize
4KB
-
memory/2620-917-0x0000022D8FC00000-0x0000022D8FD00000-memory.dmpFilesize
1024KB
-
memory/2620-921-0x0000022D90D60000-0x0000022D90D80000-memory.dmpFilesize
128KB
-
memory/2620-916-0x0000022D8FC00000-0x0000022D8FD00000-memory.dmpFilesize
1024KB
-
memory/2620-944-0x0000022D91130000-0x0000022D91150000-memory.dmpFilesize
128KB
-
memory/2620-933-0x0000022D90D20000-0x0000022D90D40000-memory.dmpFilesize
128KB
-
memory/2988-765-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3352-610-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3572-296-0x0000000003760000-0x0000000003761000-memory.dmpFilesize
4KB
-
memory/3572-1366-0x000001DB22320000-0x000001DB22420000-memory.dmpFilesize
1024KB
-
memory/3572-1374-0x000001DB23430000-0x000001DB23450000-memory.dmpFilesize
128KB
-
memory/3572-1370-0x000001DB23470000-0x000001DB23490000-memory.dmpFilesize
128KB
-
memory/3664-1364-0x0000000003EE0000-0x0000000003EE1000-memory.dmpFilesize
4KB
-
memory/3692-14-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3692-0-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3692-3-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3692-130-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3692-294-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/3692-2-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/3692-611-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3728-782-0x0000016500540000-0x0000016500560000-memory.dmpFilesize
128KB
-
memory/3728-804-0x0000016500950000-0x0000016500970000-memory.dmpFilesize
128KB
-
memory/3728-768-0x0000016D7F420000-0x0000016D7F520000-memory.dmpFilesize
1024KB
-
memory/3728-772-0x0000016500580000-0x00000165005A0000-memory.dmpFilesize
128KB
-
memory/3788-461-0x0000000003F90000-0x0000000003F91000-memory.dmpFilesize
4KB
-
memory/3960-617-0x000001DC9AD50000-0x000001DC9AE50000-memory.dmpFilesize
1024KB
-
memory/3960-620-0x000001DC9BEB0000-0x000001DC9BED0000-memory.dmpFilesize
128KB
-
memory/3960-642-0x000001DC9C280000-0x000001DC9C2A0000-memory.dmpFilesize
128KB
-
memory/3960-631-0x000001DC9BE70000-0x000001DC9BE90000-memory.dmpFilesize
128KB
-
memory/3960-615-0x000001DC9AD50000-0x000001DC9AE50000-memory.dmpFilesize
1024KB
-
memory/3960-616-0x000001DC9AD50000-0x000001DC9AE50000-memory.dmpFilesize
1024KB
-
memory/4320-913-0x0000000004650000-0x0000000004651000-memory.dmpFilesize
4KB
-
memory/5008-1214-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB