Analysis
-
max time kernel
63s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 08:21
General
-
Target
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe
-
Size
807KB
-
MD5
1a94bba2273274d0f93731436bc1bb30
-
SHA1
543eddbadf14a9aeab0affde1e7d7f7b2360d710
-
SHA256
709d95ad585b444dc62d9fabec674210cb2baacec84a6a477ed37e2787a8833e
-
SHA512
8e6567e54555dd41983274ad40f5f01348401afbfa7462d45cb9c4f9c7fb88ab67da94cb2233f05b6d73ed9e6db268e34b1b89ca1ff7efdf3229d6b8cfef95a3
-
SSDEEP
24576:FYkjllgR+tmbs1t9qgYohxfloUZhjaoJKwbgy:FYslhtmMKcoUvPJKwbgy
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
ModiLoader Second Stage 10 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 42 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 12 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\eQDewf74.exeC:\Users\Admin\eQDewf74.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\weaafec.exe"C:\Users\Admin\weaafec.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aihost.exeC:\Users\Admin\aihost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aihost.exeaihost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bihost.exeC:\Users\Admin\bihost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bihost.exebihost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\02145\A150B.exe%C:\Users\Admin\AppData\Roaming\021454⤵
- Executes dropped EXE
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Program Files (x86)\4542F\lvvm.exe%C:\Program Files (x86)\4542F4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\0B90\FB19.tmp"C:\Program Files (x86)\LP\0B90\FB19.tmp"4⤵
- Executes dropped EXE
-
C:\Users\Admin\dihost.exeC:\Users\Admin\dihost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Users\Admin\eihost.exeC:\Users\Admin\eihost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
6Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\0B90\FB19.tmpFilesize
100KB
MD54c04ec47c44bc997519e18ce5f20e9d6
SHA1680968fe85eaa19ac68b8dabf3371dd81684ed83
SHA256446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2
SHA512e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
471B
MD50544357b5442c61ee343154aa83651e0
SHA1a1d4ba1d65f0f5465598b7ef8bc3a17f904782fc
SHA256b1d29e68eaa7bacffddbab97dab1e700584fe70c6a6c91f3018c8d87d5ef0f21
SHA51267a2104c9e1b3322ece85a3cdce556fb762973e8288d40c13c872eeb0da6c5436225aa1220a45d31e5300006bd87943a9ee85f6c32bbbb0d504687ecc7373b46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
420B
MD5b380fea67f4548faee90d0b2faa1d4dd
SHA14603cfeb9d8353ddf1f777c5fda3bd94c85999ec
SHA2561dfd2a039193fb509747bf9a7815bcc251aa8d61ce1645b54687fe4b1826c656
SHA5126b8c492a3d04291e11541469b6649d9f074a6e95d991c4cefa7000b3bfc4561017ff100b979daddc493628a417e1109f06444d28f8afe4f9469514d0be124c1c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD56b520c271f649e84693fcd94ce6f04b3
SHA17b12ad9d4f60c948cd1d4dd1fb2bbed1d3c8e61c
SHA25681e4a5d0d79aafdb6be599400e7cac5e387240869f3a1b01113e76392b05009c
SHA512b894700a3ea320f181b89d5e4198c40bb4b408efd109080e89e418c5d553e5e7cf2edfba9936425e9c7e2e86cfd4f98a5b30fe44293a53ddc1545bd0ad5cb0ce
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xmlFilesize
97B
MD5292a283bdecf4cd89c3ad863a28bc72f
SHA118e896fec5f8b3ea2963d0a5cb45a244050c35c1
SHA25609794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2
SHA51271349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa
-
C:\Users\Admin\AppData\Roaming\02145\542F.214Filesize
600B
MD57dd5b5fc2f4bf991321d31039a253998
SHA1f9870e7dd9ab4d0f58bbded495725eff6710d8a5
SHA2561a4933ed1959faaba30d87af92377dea3fb4a50cb68b77ed7c3281373343adc0
SHA51249f36842a014231c3bdb24cc0ef418ef23445b2086e0d900a65750cf20814361819c142e54b2116ac34a17c5322b814d7d78dd11ba2b321c15f9377ee884a541
-
C:\Users\Admin\AppData\Roaming\02145\542F.214Filesize
996B
MD597ecfe98f544c05ce2e9452ee823deb1
SHA159428cd3f9a4ab173f538b39ca8148565acfe7e7
SHA2566a849e785e543b6cc2555c362b35ad8aca8fc550126ed1a796f03c8cf35e91f7
SHA512114d61a837e7df2eae5eaab0c879ead518d7327e43c0f71e1789b1f7ae14341d6a00a8c3c7e72c1a8111ba22faab30c4d8e677b23c141f66bf8fca41335975cf
-
C:\Users\Admin\AppData\Roaming\02145\542F.214Filesize
1KB
MD583d1ab5dad9a3c33509111fe208af623
SHA17a75030b5ea718c5be1db74ff988bb232bd224c6
SHA256cd6cbe65f41cfa137554b380fd8ec0071d74954a2b89e081c0ee474755bad3b0
SHA512bf777a5c42dcb9d70dda2f024181fff9e5f3acc3a0d2235e6a27bcbfe8b8e31ff9793f537ee928d544186b0147816dbd5d6ebd72824773d8704e464af359234d
-
C:\Users\Admin\aihost.exeFilesize
229KB
MD5c7b9733430c4bf7f56a0c89d7f2dd9cf
SHA10a894c98e17a8c81a378a37c2230cf188932d21e
SHA2568047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d
SHA5124aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464
-
C:\Users\Admin\bihost.exeFilesize
119KB
MD5386fef8fdb975e7c102921910db7f9fb
SHA1cdf3f86411189db08c8c0f887f26c2572ecc0889
SHA256ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0
SHA5126ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352
-
C:\Users\Admin\cihost.exeFilesize
279KB
MD54df3241b8f53ad2d1c0bba6dc1b97e02
SHA1f0c43893143a3442a453f56c9c4f740941b1d097
SHA256407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199
SHA512e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663
-
C:\Users\Admin\dihost.exeFilesize
244KB
MD588537f3fd69e60683c4467e89b7651af
SHA12c14a9010bed93b0622efe283a34de343ca33244
SHA2564a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692
SHA512b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084
-
C:\Users\Admin\eQDewf74.exeFilesize
180KB
MD542836a2ee8ce9deef8d846272ef3949f
SHA179f698c53e56c96c859a0155e02a24c93e120145
SHA2565569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37
SHA512786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85
-
C:\Users\Admin\eihost.exeFilesize
28KB
MD5f06f7a3945f4f78ee2c6d1ed35cbb5be
SHA1ac1ab0f60a94286b6f01b40431e6f87f6e9899bf
SHA256a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3
SHA51223f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14
-
C:\Users\Admin\weaafec.exeFilesize
180KB
MD58ad0a0c2b38707eaf028564aba1d2def
SHA184440b7eea1e1c636bfc0ea0655bc040b58c47bb
SHA25600f7bbc10a3a7d6e907c95ba98dad419d4e64ed05ae2029ed96010d90e3bf3ff
SHA512f558a55e66dc093d5841f79b6633fb9a74630ab1713762900d92ac63dea8fe32da7144e3dfbe98ff69b4bcb521616929781f6d68d72a3ee56c489819d39b42f3
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/744-598-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/948-73-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/948-66-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/948-69-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/948-65-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/948-70-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1864-57-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1864-55-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1864-56-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1864-59-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1864-92-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1864-54-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1948-181-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2584-61-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2620-72-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2756-745-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2756-94-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2756-179-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/3224-99-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/3228-96-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/3388-601-0x00000255B6A00000-0x00000255B6B00000-memory.dmpFilesize
1024KB
-
memory/3388-604-0x00000255B79E0000-0x00000255B7A00000-memory.dmpFilesize
128KB
-
memory/3388-628-0x00000255B80B0000-0x00000255B80D0000-memory.dmpFilesize
128KB
-
memory/3388-614-0x00000255B79A0000-0x00000255B79C0000-memory.dmpFilesize
128KB
-
memory/3560-298-0x000002C18F070000-0x000002C18F090000-memory.dmpFilesize
128KB
-
memory/3560-329-0x000002C18F440000-0x000002C18F460000-memory.dmpFilesize
128KB
-
memory/3560-311-0x000002C18F030000-0x000002C18F050000-memory.dmpFilesize
128KB
-
memory/3616-754-0x0000014EDAB80000-0x0000014EDABA0000-memory.dmpFilesize
128KB
-
memory/3616-751-0x0000014ED9A20000-0x0000014ED9B20000-memory.dmpFilesize
1024KB
-
memory/3616-749-0x0000014ED9A20000-0x0000014ED9B20000-memory.dmpFilesize
1024KB
-
memory/3616-780-0x0000014EDAF50000-0x0000014EDAF70000-memory.dmpFilesize
128KB
-
memory/3616-765-0x0000014EDAB40000-0x0000014EDAB60000-memory.dmpFilesize
128KB
-
memory/3760-5-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4020-291-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/4376-455-0x000001DAF2F00000-0x000001DAF3000000-memory.dmpFilesize
1024KB
-
memory/4376-487-0x000001DAF4420000-0x000001DAF4440000-memory.dmpFilesize
128KB
-
memory/4376-454-0x000001DAF2F00000-0x000001DAF3000000-memory.dmpFilesize
1024KB
-
memory/4376-473-0x000001DAF4020000-0x000001DAF4040000-memory.dmpFilesize
128KB
-
memory/4376-459-0x000001DAF4060000-0x000001DAF4080000-memory.dmpFilesize
128KB
-
memory/4516-79-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4516-6-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4516-7-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4516-0-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4516-11-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4516-1-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4516-901-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4516-4-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/4716-453-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/4736-748-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4888-594-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB