4abd967bd77a75611dd4ae57456f0d8a40cab225c63c41501878beb0d85303a1

Analysis

max time kernel
27s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
Size

282KB
MD5

7555fa82400eef9e9af4a73f8f65d6cc
SHA1

23e0decff1376cbb4b3f405b5d225001db2bdd7f
SHA256

4abd967bd77a75611dd4ae57456f0d8a40cab225c63c41501878beb0d85303a1
SHA512

3260633c459d615246606089abbac11ac2bcc0c91b8d220a8ac3b87e0aa551df6847c871c5e8580654b9d0abfe68183b2e3a6b3af1a86c160477c5ec264c8406
SSDEEP

6144:crPrHEYF57R69Um+nEY0kqk4PXzCPamiHtRNCI6X:2HXF9R6ym+skK07mKX

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2288-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2288-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2288-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1968-28-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2288-30-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4456-98-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2288-137-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2288-203-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2288-339-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2288-1084-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4F4.exe = "C:\\Program Files (x86)\\LP\\64E5\\4F4.exe"	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\64E5\4F4.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\64E5\4F4.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{FFBDD500-E5DC-4C9E-862C-62513979D180}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

pid	process
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

msiexec.exeexplorer.exe

description	pid	process
Token: SeSecurityPrivilege	4180	msiexec.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

explorer.exe

pid process

4980 explorer.exe
4980 explorer.exe
4980 explorer.exe
4980 explorer.exe
4980 explorer.exe
4980 explorer.exe
4980 explorer.exe
4980 explorer.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

explorer.exe

pid	process
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

description	pid	process	target process
PID 2288 wrote to memory of 1968	2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
PID 2288 wrote to memory of 1968	2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
PID 2288 wrote to memory of 1968	2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
PID 2288 wrote to memory of 4456	2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
PID 2288 wrote to memory of 4456	2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
PID 2288 wrote to memory of 4456	2288	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288

C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\50F0B\1D064.exe%C:\Users\Admin\AppData\Roaming\50F0B
2⤵
- System Location Discovery: System Language Discovery
PID:1968

C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe startC:\Program Files (x86)\0B6D8\lvvm.exe%C:\Program Files (x86)\0B6D8
2⤵
- System Location Discovery: System Language Discovery
PID:4456

C:\Program Files (x86)\LP\64E5\501F.tmp
"C:\Program Files (x86)\LP\64E5\501F.tmp"
2⤵
PID:2620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3708

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2116

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2992

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3880

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3800

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\64E5\501F.tmp

Filesize
99KB

MD5
9d83b6d4629b9d0e96bbdb171b0dc5db

SHA1
e9bed14c44fe554e0e8385096bbacca494da30b1

SHA256
d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d

SHA512
301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
8fff048a7c06082010b89d293f839718

SHA1
7522f573e742c250340a225b644c53eed1efeb4d

SHA256
f262436c723d73cf516b6f95cb59e289841e9c8a4141b098d8a3a92bd27ca0d1

SHA512
65c1f1f98ad28d5e9bac8e0d58936b11a3e7944a5c2e53f38089055aab2148ba9c5278a5b7da7efd266da3154cc2cc5dcad5549da575fb2d7f11b4a9d54ad0f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
d67e49b14494c288288f426470f3e4bb

SHA1
ef5ba31a1a8ee4bb6f3477eef9df5a09bd90a905

SHA256
f268f56591cb8297c0b10c3b235b9b2a31ca3758ed2b399c173935cbd2f012be

SHA512
d867b1602ce6ee8de4104faac029dc569d8296f3c5e0e99cf1330953a16540f53f6c7140810ba9320feb5bae505b4da42c515326c8bf1a9ae0d498bd65ef87bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
11b3dc02569b7580d6c19ef09625d8d4

SHA1
51b7dbe22019119960d858948370bd46d5858e49

SHA256
ca1c6171226515fd3c03d4e92fc9f273dbe8a1a9579974806413211196794701

SHA512
6864871ff4440e0242c4626283e9092c3b0a957c00a97a93f1ef89cf07d876f36b0b51c80242ded61c8678e82a55fb9809197826b5f2ce4afbbd1a294fe5d860

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133665107964723470.txt

Filesize
75KB

MD5
aabc4f708a7af69df0d622175ae1492d

SHA1
436aa7c672a84804b87e67676e72991ce4c4a622

SHA256
a1c7e207cdc8d8068d01dc30b3e5bd0f2007f01ec265bdfa98d13cc526f29101

SHA512
fee9744b5b937df0264260cf31d6ceced0a5dae9466474ba5a05bd35b7e5ac228f78bdacd7ef20af65754357b942c60c299f7cdfbbbb234ae627ffd3611a9de3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\677KTD6Z\microsoft.windows[1].xml

Filesize
97B

MD5
aade9dcc162c920fb6a9583c0721eddb

SHA1
aeb034bad9aefe41da007060ab46d3da0887d74b

SHA256
1307ee5570ea69120c2692a26459549cfc3e2a50999dd387150da2880f581db4

SHA512
743cc6c871cd490ac57538710defffb2e03ab1634f0ad7191a2938fc7f3586474d75465fece091a1f0d934688420603a7f6ef0382b47cd91f7b4007e9ca63dfa

Download Submit
C:\Users\Admin\AppData\Roaming\50F0B\B6D8.0F0

Filesize
1KB

MD5
9f737b31c898d483b4a1d7f245d9b84c

SHA1
c2480acb00fe4251ddc27f77e12ec8e916f12bdd

SHA256
f76169db8363074d47d25274197d4f0d1de188f793a42ae8e130a5f4fee9c3ff

SHA512
2c21604600aa4c6e8df68cce886b736dda157a8443e1c45bf306ad526d24b7e5e636d87d0d6d2cec1a543ad2cfba2eb4a7425942e68491b6b427f6b539084f0c

Download Submit
C:\Users\Admin\AppData\Roaming\50F0B\B6D8.0F0

Filesize
996B

MD5
a6a5282e8b5d1c6c0c541c932642eadc

SHA1
f0057559408380c1ad6b66928a0e052bb1177636

SHA256
39cfd437bdeb62ba2a9e2439aa4e3161994af3f6e0c05a295746a102a0b45a81

SHA512
c8a616df3d8b368612c47f4fc2e4a53a65d826df8e0e5dabab29ed2f1c80881a07944ab6698c39acaa80a30488fd15e18ddadd37d922de1e095b9c3b3a271ba8

Download Submit
C:\Users\Admin\AppData\Roaming\50F0B\B6D8.0F0

Filesize
300B

MD5
f4e50b48958fd78f1915621b4c8aaf9b

SHA1
94a6dbc182cbc9a70b22ef1c335b72bc41c284b9

SHA256
944b5b5f9164a929c35903928111e306a0b4b8479b63d4f2d658c36c03810874

SHA512
a8542ced8776c858fd7487a44f382d3841ee906ae2c1441588fa17ecca5c89c776a92f7cdddceca9fc03a3751cf0fb09311468e3f151ff222459cf5f17e25dbb

Download Submit
memory/1076-1233-0x000002A5881B0000-0x000002A5881D0000-memory.dmp

Filesize
128KB

Download
memory/1076-1228-0x000002A587160000-0x000002A587260000-memory.dmp

Filesize
1024KB

Download
memory/1076-1237-0x000002A588170000-0x000002A588190000-memory.dmp

Filesize
128KB

Download
memory/1076-1229-0x000002A587160000-0x000002A587260000-memory.dmp

Filesize
1024KB

Download
memory/1076-1248-0x000002A588780000-0x000002A5887A0000-memory.dmp

Filesize
128KB

Download
memory/1080-795-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/1968-28-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1968-227-0x000001BC10680000-0x000001BC106A0000-memory.dmp

Filesize
128KB

Download
memory/1968-222-0x000001B40E520000-0x000001B40E620000-memory.dmp

Filesize
1024KB

Download
memory/1968-252-0x000001BC10640000-0x000001BC10660000-memory.dmp

Filesize
128KB

Download
memory/1968-258-0x000001BC10A50000-0x000001BC10A70000-memory.dmp

Filesize
128KB

Download
memory/2116-1087-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2288-137-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2288-339-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2288-203-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2288-30-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2288-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2288-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2288-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2288-1084-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2620-218-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2628-221-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3076-383-0x000001DBA82D0000-0x000001DBA82F0000-memory.dmp

Filesize
128KB

Download
memory/3076-406-0x000001DBA86A0000-0x000001DBA86C0000-memory.dmp

Filesize
128KB

Download
memory/3076-392-0x000001DBA8290000-0x000001DBA82B0000-memory.dmp

Filesize
128KB

Download
memory/3148-550-0x0000015F9BB80000-0x0000015F9BBA0000-memory.dmp

Filesize
128KB

Download
memory/3148-528-0x0000015799B00000-0x0000015799C00000-memory.dmp

Filesize
1024KB

Download
memory/3148-534-0x0000015F9BBC0000-0x0000015F9BBE0000-memory.dmp

Filesize
128KB

Download
memory/3148-551-0x0000015F9C020000-0x0000015F9C040000-memory.dmp

Filesize
128KB

Download
memory/3148-529-0x0000015799B00000-0x0000015799C00000-memory.dmp

Filesize
1024KB

Download
memory/3148-577-0x0000015F9C000000-0x0000015F9C020000-memory.dmp

Filesize
128KB

Download
memory/3508-1094-0x0000023693EE0000-0x0000023693F00000-memory.dmp

Filesize
128KB

Download
memory/3508-1122-0x0000023694520000-0x0000023694540000-memory.dmp

Filesize
128KB

Download
memory/3508-1115-0x0000023693EC0000-0x0000023693EE0000-memory.dmp

Filesize
128KB

Download
memory/3508-1089-0x0000023693000000-0x0000023693100000-memory.dmp

Filesize
1024KB

Download
memory/3508-1088-0x0000023693000000-0x0000023693100000-memory.dmp

Filesize
1024KB

Download
memory/3592-692-0x0000020C45450000-0x0000020C45470000-memory.dmp

Filesize
128KB

Download
memory/3592-683-0x0000020C45040000-0x0000020C45060000-memory.dmp

Filesize
128KB

Download
memory/3592-670-0x0000020C45080000-0x0000020C450A0000-memory.dmp

Filesize
128KB

Download
memory/3708-802-0x0000017BE52D0000-0x0000017BE52F0000-memory.dmp

Filesize
128KB

Download
memory/3708-796-0x0000017BE4200000-0x0000017BE4300000-memory.dmp

Filesize
1024KB

Download
memory/3708-797-0x0000017BE4200000-0x0000017BE4300000-memory.dmp

Filesize
1024KB

Download
memory/3708-822-0x0000017BE56A0000-0x0000017BE56C0000-memory.dmp

Filesize
128KB

Download
memory/3708-821-0x0000017BE5290000-0x0000017BE52B0000-memory.dmp

Filesize
128KB

Download
memory/4124-936-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/4132-375-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4456-98-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4552-1226-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/4556-527-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/4672-939-0x000002099AC00000-0x000002099AD00000-memory.dmp

Filesize
1024KB

Download
memory/4672-938-0x000002099AC00000-0x000002099AD00000-memory.dmp

Filesize
1024KB

Download
memory/4672-943-0x000002099BC90000-0x000002099BCB0000-memory.dmp

Filesize
128KB

Download
memory/4672-974-0x000002099BC50000-0x000002099BC70000-memory.dmp

Filesize
128KB

Download
memory/4672-975-0x000002099C060000-0x000002099C080000-memory.dmp

Filesize
128KB

Download
memory/4672-940-0x000002099AC00000-0x000002099AD00000-memory.dmp

Filesize
1024KB

Download
memory/4848-662-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download