Analysis
-
max time kernel
80s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-06-2024 08:13
General
-
Target
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe
-
Size
667KB
-
MD5
19692ed7b4d90397bb54fb483823e32c
-
SHA1
4bb7b5a2cea25d928f22a799d9edeaf8806eb012
-
SHA256
6862bae6ba9e69a63484969adc77f3742d3ff10181560effd9902b193901613e
-
SHA512
ceaf30d1257dd0f7abef3f03db33496b1ea86ca8f8deea123728baa4a104108e97dd9a7b2695e2efbfa81a48ef26e8c4e0ff52dbf83b27fc4389ca456f455ad4
-
SSDEEP
12288:WbMqmwEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI+EEb4Ev/ATEXKGVnGTzpA1Ec1A
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
ModiLoader Second Stage 8 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 44 IoCs
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 16 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DV245F.exeC:\Users\Admin\DV245F.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\zbpob.exe"C:\Users\Admin\zbpob.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aohost.exeC:\Users\Admin\aohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aohost.exeaohost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\0D456\4B912.exe%C:\Users\Admin\AppData\Roaming\0D4564⤵
- Executes dropped EXE
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Program Files (x86)\56B80\lvvm.exe%C:\Program Files (x86)\56B804⤵
- Executes dropped EXE
-
C:\Users\Admin\dohost.exeC:\Users\Admin\dohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:81⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
6Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
471B
MD5b4b19f96a22192db9a83ba8a65a2e8d1
SHA1e50926c1b3d5390c2489e1f1c000654bf2c773ff
SHA25691ee46abed31c2de11cdf68d792ef2c6f188ce82edc28bd4eb702c56167c7a7d
SHA5125166f784b73b0f83a0bd9b02cdb89ee560b69b0eff9afff8601edd301ce409a1f42b586c68d4f34b291797527bba6f092777e2e17131b0766a1f93121045331b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
420B
MD5b8899b9f4f5745824e9a42d01fe38dbd
SHA10a2120a0f908ac5663f1beced1afeb30c8432eba
SHA25664740f806a7b58992e8f23f6719f12d32b820548f6036605492c5b89df611746
SHA5127c54f0e1bac8aa3eed51688532326bcb0a614855ad05bb0a4e969944fea31deeb64c4bf8d3b4f38cae9d0ad878eea7630eaf00d9d54aaae46548fd9f0b3f8103
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD5619592250cb43a44108b86fc808f7295
SHA1521f96e29e2bf257e67a22168e86cfd69f31cf46
SHA256ca5cba7e44fa681d9a3d995952ccd1dcc3099d8fb0464c5d0b49614ac737aa8c
SHA512a06f83291d44cdb401c2f5fceab23dc928c26b94f2de33949195a7e5b8647985186aed4209d186d594d11e84791d2010b482be922dd664be7a28678f02f2622e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OE9DJ3LK\microsoft.windows[1].xmlFilesize
96B
MD50f6abe1ee9fa77b6b269e1a5401bbaf1
SHA1e0805afe225412725e7c5e902fd5d7cfbfc30437
SHA2566133a01b57b98ac5362bc51c436b99e58ba44d9b0e7db95b43dfb7d02423e056
SHA5122a810ccad4f37df09425138c474d947223fe7206e045b117991ed6210101615b0e503eeb6c7454ae98b2aff0e52dcbbf4d041f728d0c7d7cf00c1f4c430cce25
-
C:\Users\Admin\AppData\Roaming\0D456\6B80.D45Filesize
996B
MD54e9888c709b5bb20611ebf2d0b48371c
SHA1a3ba0996b9dcc6ab6e2e7163b09ef30401948def
SHA256f74d3211d3d8f20f0fb70899b50a836cc0e242c9d85b6fff10fa1bedd9a109d4
SHA5125d15b27b40750f8bc3836c85db1ef375d4e742f1015c24a5de345fbd7b4a2b8f236a52233540c6547b4b7f722585030da2f8121f4e017f799782648df281e842
-
C:\Users\Admin\AppData\Roaming\0D456\6B80.D45Filesize
1KB
MD5e44f330a0c366a72a0e06918211924da
SHA1b00247fe8e21a7b74eb10365129389f22c1a294d
SHA256590962462865b9c31a21477184df00c1f7902c08188f7f806fa217900041f43d
SHA512b81af1d294b8a9aca01acbb33a18c713c61812cd694d49dccfcd867e2ab44b4ad36ed1aec3c6dd349ac5e5dd74842f0e89c8994098c5b039fd3523324db98e0b
-
C:\Users\Admin\AppData\Roaming\0D456\6B80.D45Filesize
600B
MD5d78bd03478c7bcb9eb08fdeb913f82e0
SHA1b6f3eb0a006cdc66084474b1ab011f615f4e3a4f
SHA256c89633dc6bb2c46f7e4fee396f03919ff5517b9ee4b4c895bd6607219c4f4505
SHA5122a1fcc23a6d06afd8602060f648a96b519c9aa4ddfc1bae139024c954b388b5c7f3a04598a941402553eb2b92c8e1989eb473c82712671ca44d1cd0e96b751fb
-
C:\Users\Admin\DV245F.exeFilesize
216KB
MD500b1af88e176b5fdb1b82a38cfdce35b
SHA1c0f77262df92698911e0ac2f7774e93fc6b06280
SHA25650f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59
SHA5129e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f
-
C:\Users\Admin\aohost.exeFilesize
152KB
MD54401958b004eb197d4f0c0aaccee9a18
SHA150e600f7c5c918145c5a270b472b114faa72a971
SHA2564c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b
SHA512f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6
-
C:\Users\Admin\bohost.exeFilesize
173KB
MD50578a41258df62b7b4320ceaafedde53
SHA150e7c0b00f8f1e5355423893f10ae8ee844d70f4
SHA25618941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf
SHA5125870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09
-
C:\Users\Admin\dohost.exeFilesize
24KB
MD5d7390e209a42ea46d9cbfc5177b8324e
SHA1eff57330de49be19d2514dd08e614afc97b061d2
SHA256d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5
SHA512de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d
-
C:\Users\Admin\zbpob.exeFilesize
216KB
MD5bba67e5c42ebf9fe7d8525e6ccd8a7f2
SHA1b144d8bafcc012006570924e0f5e0b766f0570ad
SHA25695a2b6d2e7a2865f3bbca5cacbeeda0fb0192282e423016359c0082510dc2aae
SHA5128cbd0af6df5ede790226f2a3e45763330a8106548aa8585a840cceb9c9d3d1780fc8da672091fd5163e1cd58d03239de980fd294dec1dd447771191189a9acd1
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/384-248-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/396-400-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/1076-5-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1392-73-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1420-704-0x000001D611400000-0x000001D611500000-memory.dmpFilesize
1024KB
-
memory/1420-707-0x000001D6122F0000-0x000001D612310000-memory.dmpFilesize
128KB
-
memory/1420-726-0x000001D6128C0000-0x000001D6128E0000-memory.dmpFilesize
128KB
-
memory/1420-714-0x000001D6122B0000-0x000001D6122D0000-memory.dmpFilesize
128KB
-
memory/1956-46-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2012-555-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/2168-50-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2168-43-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2168-42-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2168-75-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2168-49-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2568-851-0x00000000040D0000-0x00000000040D1000-memory.dmpFilesize
4KB
-
memory/3048-7-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3048-4-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3048-1-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3048-0-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3048-245-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3048-11-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3048-6-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3048-74-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3412-700-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3580-255-0x000001CFF7DB0000-0x000001CFF7DD0000-memory.dmpFilesize
128KB
-
memory/3580-286-0x000001CFF8180000-0x000001CFF81A0000-memory.dmpFilesize
128KB
-
memory/3580-250-0x000001CFF6C50000-0x000001CFF6D50000-memory.dmpFilesize
1024KB
-
memory/3580-269-0x000001CFF7D70000-0x000001CFF7D90000-memory.dmpFilesize
128KB
-
memory/3580-251-0x000001CFF6C50000-0x000001CFF6D50000-memory.dmpFilesize
1024KB
-
memory/3580-252-0x000001CFF6C50000-0x000001CFF6D50000-memory.dmpFilesize
1024KB
-
memory/3820-586-0x000001BE29B60000-0x000001BE29B80000-memory.dmpFilesize
128KB
-
memory/3820-562-0x000001BE29590000-0x000001BE295B0000-memory.dmpFilesize
128KB
-
memory/3820-558-0x000001BE28640000-0x000001BE28740000-memory.dmpFilesize
1024KB
-
memory/3820-557-0x000001BE28640000-0x000001BE28740000-memory.dmpFilesize
1024KB
-
memory/3820-574-0x000001BE29550000-0x000001BE29570000-memory.dmpFilesize
128KB
-
memory/4424-853-0x000001CB60000000-0x000001CB60100000-memory.dmpFilesize
1024KB
-
memory/4424-858-0x000001CB61120000-0x000001CB61140000-memory.dmpFilesize
128KB
-
memory/4424-854-0x000001CB60000000-0x000001CB60100000-memory.dmpFilesize
1024KB
-
memory/4444-402-0x000001C25AB70000-0x000001C25AC70000-memory.dmpFilesize
1024KB
-
memory/4444-429-0x000001C25C0A0000-0x000001C25C0C0000-memory.dmpFilesize
128KB
-
memory/4444-403-0x000001C25AB70000-0x000001C25AC70000-memory.dmpFilesize
1024KB
-
memory/4444-404-0x000001C25AB70000-0x000001C25AC70000-memory.dmpFilesize
1024KB
-
memory/4444-407-0x000001C25BAD0000-0x000001C25BAF0000-memory.dmpFilesize
128KB
-
memory/4444-417-0x000001C25BA90000-0x000001C25BAB0000-memory.dmpFilesize
128KB
-
memory/4460-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4620-242-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4620-76-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4620-142-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB