Analysis
-
max time kernel
71s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
04-07-2024 08:09
General
-
Target
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe
-
Size
278KB
-
MD5
253a01a3885449b469b5d48701c1f1b0
-
SHA1
c152218d2ed37052b8e5808c45246bbb0dd7f8cd
-
SHA256
54eead45e2f5c5d49a65e9b6d2ccb79dad19acd6952713dddbdb1deedac57936
-
SHA512
91f30a2ccf7f2ed339c7531f130058af77629ccf538da88c819b5994cfdc13ff343d4cd52bc676436de201ad2252e7db5f8a3692b50fee146c72681b3cc8f089
-
SSDEEP
6144:rwmpb9Zz43C+A9cvUEEpXYMSkDZcxOqcDIrM:rwml9t43CTAM1uZA
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 14 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe"1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\C6AE9\4B912.exe%C:\Users\Admin\AppData\Roaming\C6AE92⤵
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe startC:\Program Files (x86)\E9E7A\lvvm.exe%C:\Program Files (x86)\E9E7A2⤵
-
C:\Program Files (x86)\LP\12AC\CC0A.tmp"C:\Program Files (x86)\LP\12AC\CC0A.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\12AC\CC0A.tmpFilesize
97KB
MD578193d48f57272fd9ea2e44ed86d608c
SHA11e70368bb5a0932f868fdddb22fd23dd2e7dedeb
SHA256c09d0876bbf956eb381d92a3e9dd61d49a4d65c1d2b65d3d42cb795256804aae
SHA5124f55914fe2d3780f174843b9f3666a10f63caae9634af925da3dc6aea5a3f6ab9e6ebf693698b781931ce794919558c59f7bfa22be94dc8b556784d948fa14c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
471B
MD50894160f2995d6fa79e680cb5838f46d
SHA173dd4befe3415378eb9a81fd3d25dcfbc38b5538
SHA256b357d5b4d66c1b85bfec43b5f415eabe93a82f9221f105938fb69ac2c544c78f
SHA5125044bdcf67470b87f7fdee5466102c960011172360fade265973aab2cebc04af34146232e6b174153f7a58b22c445fc9a79f597e92bec554e7dfe6b571683f41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
420B
MD51a6de5358046cfba904fa88f7e4fdb05
SHA1ecdadff6d6f326fedfc35c68cf0ff5f5b1b1829d
SHA2562a6facf1d0bdcd8a28c7d15ba48fcf88b2131c9907105ef52a835699ea430fa8
SHA51240f10917ef329df119b44042a59f6dc66dc1aefc7a8a9bd2d6447d1ad88e972a64c6b930e8eb26691e5e21db7be41f367666407932a650164d889e0f365fe2e3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD587dce6e5fa622db4d666c3fd86c67dcb
SHA1064a0aa39628b6494381de71e4af037714d8bdbf
SHA256c9a5c46689dcdc0a97e422b946b735f19831be069d3e30b07792c324ffec7408
SHA512f9f9b2bd6926cc20244d6bd029b888038fe3e220a67d8f426fcae9b7805fdca55a8ddc3431a98175f4941c3a05f37208d49f3ccd4f00ba4901978976aac98b93
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xmlFilesize
97B
MD5292a283bdecf4cd89c3ad863a28bc72f
SHA118e896fec5f8b3ea2963d0a5cb45a244050c35c1
SHA25609794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2
SHA51271349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa
-
C:\Users\Admin\AppData\Roaming\C6AE9\9E7A.6AEFilesize
996B
MD51aa7d116cd4811e55b5b1a82be03813f
SHA1c9ae48fb7748f11621b62195e1810b56ba621dba
SHA25635b2e8e7784852359fbaad85bcd97c5ca12696d6bd6e8d80f27e7fe19c04f414
SHA51229a11d23baf138188d1891e6a18098ddcdaca2abd3331376af25ec9514ae5f6f02ca30579752094e66d0dccca0c7adad48dfe302381aab5258a1d96240189ca7
-
C:\Users\Admin\AppData\Roaming\C6AE9\9E7A.6AEFilesize
1KB
MD5e18a588bac8c751db08a0e300626cc6c
SHA1baa62c3442c99e1af22a7e9842666bf41b5c290f
SHA2561e063d04c4c995b252a6a1d5d706abb19d781b5995b03f5cd63dfac349154c8d
SHA5127ce87967ef2e0ef6c544f030a761541f636919ba9be74d2273fabfddeb51e30bb2b9de9f0ff88f383b26a2c3cbcf871a2e11cc0d523ab46c1226992a6746a806
-
C:\Users\Admin\AppData\Roaming\C6AE9\9E7A.6AEFilesize
600B
MD5ecf1de09b0428cc15c2a64f4b8e594a1
SHA1f8d1a7106a8a89a5b200568d94bffbdeca6ff6a5
SHA2566acb3dc2d1b15b71cf6a96fde907b971f2e2d79e9398258a8a3bbbded7e6e43f
SHA512eea62fc56c2c7c629d871c9a0eb9c888e7214a5e207ff11526602bbccf165d37614f00e38e291f11b765ce1071c09aaf257b95e00edd9c83b736d110e4ab5513
-
C:\Users\Admin\AppData\Roaming\C6AE9\9E7A.6AEFilesize
300B
MD5d3b14d81dec054706cedc34d27305273
SHA1be46114b93e88c7611f63cdec45a891aed7f0983
SHA256bbf680c1cf5b3d573287f15ff11ad0c8e35ebee5c73d9bfef3eecd1d6064db4a
SHA5125387613d0e1608ebf90e101b546aad7e6b65b4b0abde57700989aef3265caf7aee1d8a602d59d780c300d3c6c71f1e58dc349c746960908058c1109af9ce4105
-
memory/64-1288-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/368-1291-0x0000029573900000-0x0000029573A00000-memory.dmpFilesize
1024KB
-
memory/368-1295-0x0000029574820000-0x0000029574840000-memory.dmpFilesize
128KB
-
memory/368-1317-0x0000029574E00000-0x0000029574E20000-memory.dmpFilesize
128KB
-
memory/368-1305-0x00000295745E0000-0x0000029574600000-memory.dmpFilesize
128KB
-
memory/1364-723-0x0000026A0D2B0000-0x0000026A0D2D0000-memory.dmpFilesize
128KB
-
memory/1364-701-0x0000026A0CE60000-0x0000026A0CE80000-memory.dmpFilesize
128KB
-
memory/1364-692-0x0000026A0CEA0000-0x0000026A0CEC0000-memory.dmpFilesize
128KB
-
memory/1520-1579-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/2204-987-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/2364-1137-0x0000021096E20000-0x0000021096F20000-memory.dmpFilesize
1024KB
-
memory/2364-836-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/2364-1174-0x0000021098350000-0x0000021098370000-memory.dmpFilesize
128KB
-
memory/2364-1155-0x0000021097F40000-0x0000021097F60000-memory.dmpFilesize
128KB
-
memory/2364-1139-0x0000021096E20000-0x0000021096F20000-memory.dmpFilesize
1024KB
-
memory/2364-1142-0x0000021097F80000-0x0000021097FA0000-memory.dmpFilesize
128KB
-
memory/2364-1138-0x0000021096E20000-0x0000021096F20000-memory.dmpFilesize
1024KB
-
memory/2536-553-0x0000018E11990000-0x0000018E119B0000-memory.dmpFilesize
128KB
-
memory/2536-542-0x0000018E119D0000-0x0000018E119F0000-memory.dmpFilesize
128KB
-
memory/2536-574-0x0000018E11DA0000-0x0000018E11DC0000-memory.dmpFilesize
128KB
-
memory/2680-232-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/3092-192-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3104-684-0x00000000030B0000-0x00000000030B1000-memory.dmpFilesize
4KB
-
memory/3200-1587-0x00000153CBC70000-0x00000153CBC90000-memory.dmpFilesize
128KB
-
memory/3792-110-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3792-109-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/3940-384-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/4028-1440-0x00000218D7C00000-0x00000218D7C20000-memory.dmpFilesize
128KB
-
memory/4028-1452-0x00000218D7BC0000-0x00000218D7BE0000-memory.dmpFilesize
128KB
-
memory/4028-1464-0x00000218D7FD0000-0x00000218D7FF0000-memory.dmpFilesize
128KB
-
memory/4028-1437-0x00000218D6B00000-0x00000218D6C00000-memory.dmpFilesize
1024KB
-
memory/4028-1435-0x00000218D6B00000-0x00000218D6C00000-memory.dmpFilesize
1024KB
-
memory/4100-239-0x00000249BE640000-0x00000249BE660000-memory.dmpFilesize
128KB
-
memory/4100-268-0x00000249BEA00000-0x00000249BEA20000-memory.dmpFilesize
128KB
-
memory/4100-267-0x00000249BE600000-0x00000249BE620000-memory.dmpFilesize
128KB
-
memory/4140-1136-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/4280-403-0x00000227C31E0000-0x00000227C3200000-memory.dmpFilesize
128KB
-
memory/4280-416-0x00000227C35F0000-0x00000227C3610000-memory.dmpFilesize
128KB
-
memory/4280-387-0x00000227C1F00000-0x00000227C2000000-memory.dmpFilesize
1024KB
-
memory/4280-391-0x00000227C3220000-0x00000227C3240000-memory.dmpFilesize
128KB
-
memory/4280-386-0x00000227C1F00000-0x00000227C2000000-memory.dmpFilesize
1024KB
-
memory/4308-44-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4308-42-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4308-41-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4352-535-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/4416-1007-0x00000287442F0000-0x0000028744310000-memory.dmpFilesize
128KB
-
memory/4416-1019-0x0000028744900000-0x0000028744920000-memory.dmpFilesize
128KB
-
memory/4416-988-0x0000028743400000-0x0000028743500000-memory.dmpFilesize
1024KB
-
memory/4416-993-0x0000028744330000-0x0000028744350000-memory.dmpFilesize
128KB
-
memory/4416-990-0x0000028743400000-0x0000028743500000-memory.dmpFilesize
1024KB
-
memory/4416-989-0x0000028743400000-0x0000028743500000-memory.dmpFilesize
1024KB
-
memory/4496-1433-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/4872-860-0x0000028283500000-0x0000028283520000-memory.dmpFilesize
128KB
-
memory/4872-843-0x0000028283540000-0x0000028283560000-memory.dmpFilesize
128KB
-
memory/4872-874-0x0000028283910000-0x0000028283930000-memory.dmpFilesize
128KB
-
memory/5112-45-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/5112-1-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/5112-1286-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/5112-111-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/5112-112-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/5112-2-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/5112-191-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB