Analysis

  • max time kernel
    72s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 22:00

General

  • Target

    4a36039a350769562822afc507ed47fd_JaffaCakes118.exe

  • Size

    865KB

  • MD5

    4a36039a350769562822afc507ed47fd

  • SHA1

    9f86305d0e26e77355d8d48a795607e7dadd4b36

  • SHA256

    9e70706aa9b9ca3b3e6c49975f47b850853fef59de4537b9447e747cff3a348d

  • SHA512

    1a7718bfd261bde92bdcc944f589425c61c5be76462cdb01b2340a92d808a404b33162e2229339ccaaa41e8c5f1916b390c73f3ed2c5d2e35b9bd512b302ad3e

  • SSDEEP

    24576:YnIECCSIaYh4cJH495Wq/TB9y6BbUGsM/jq:YnIVCSIa6Y9kq/vBbv//

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 53 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a36039a350769562822afc507ed47fd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a36039a350769562822afc507ed47fd_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2388
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4984
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3052
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:4760
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4368
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
        PID:4872
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:5040
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:4180
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3500
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2336
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:1616
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
            PID:3332
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:3064
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
          1⤵
            PID:1216
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:2324
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4880
            • C:\Windows\explorer.exe
              explorer.exe /LOADSAVEDWINDOWS
              2⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:5084
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2164
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:4016
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:4572
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2624
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:1052
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:3288
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:4240
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:1744
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 184 -p 1744 -ip 1744
            1⤵
              PID:1616
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4040
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:4316
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4440
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4924
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4404
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4220
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:380
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:4608
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:4912
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4272
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4876
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:4592
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:1628
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:4752
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:4804
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:964
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:3324
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:3908
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:3568
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:1904
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:1416
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4252
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:1336
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4156
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:4992
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4424
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:3636
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:532
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:3860
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:3040
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:3108
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:3928
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4516
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:2708
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:3364
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:2288
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Modifies registry class
              PID:3936
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:3128
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4948
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:4952
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:2928
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4328
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4532
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:4100
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:4640
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:4416
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:1820
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:1508
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:872
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:2548
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:2352
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:2336
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:1216
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:3544
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:4812
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              1⤵
                                                PID:4760
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:232
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:1032
                                                  • C:\Windows\explorer.exe
                                                    explorer.exe
                                                    1⤵
                                                      PID:904
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:2032
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:1536
                                                        • C:\Windows\explorer.exe
                                                          explorer.exe
                                                          1⤵
                                                            PID:3680
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:4724
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:5012
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:372
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:5020
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:2224
                                                                    • C:\Windows\explorer.exe
                                                                      explorer.exe
                                                                      1⤵
                                                                        PID:2656
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:5092
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:1396
                                                                          • C:\Windows\explorer.exe
                                                                            explorer.exe
                                                                            1⤵
                                                                              PID:1056
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:2632
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:4356
                                                                                • C:\Windows\explorer.exe
                                                                                  explorer.exe
                                                                                  1⤵
                                                                                    PID:3088
                                                                                  • C:\Windows\explorer.exe
                                                                                    explorer.exe
                                                                                    1⤵
                                                                                      PID:3540
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:1232
                                                                                      • C:\Windows\explorer.exe
                                                                                        explorer.exe
                                                                                        1⤵
                                                                                          PID:4868
                                                                                        • C:\Windows\explorer.exe
                                                                                          explorer.exe
                                                                                          1⤵
                                                                                            PID:2676
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:4024
                                                                                            • C:\Windows\explorer.exe
                                                                                              explorer.exe
                                                                                              1⤵
                                                                                                PID:3832
                                                                                              • C:\Windows\explorer.exe
                                                                                                explorer.exe
                                                                                                1⤵
                                                                                                  PID:2240
                                                                                                • C:\Windows\explorer.exe
                                                                                                  explorer.exe
                                                                                                  1⤵
                                                                                                    PID:1552
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    explorer.exe
                                                                                                    1⤵
                                                                                                      PID:4128
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      explorer.exe
                                                                                                      1⤵
                                                                                                        PID:3168
                                                                                                      • C:\Windows\explorer.exe
                                                                                                        explorer.exe
                                                                                                        1⤵
                                                                                                          PID:4852
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          explorer.exe
                                                                                                          1⤵
                                                                                                            PID:2476
                                                                                                          • C:\Windows\explorer.exe
                                                                                                            explorer.exe
                                                                                                            1⤵
                                                                                                              PID:4140
                                                                                                            • C:\Windows\explorer.exe
                                                                                                              explorer.exe
                                                                                                              1⤵
                                                                                                                PID:2780
                                                                                                              • C:\Windows\explorer.exe
                                                                                                                explorer.exe
                                                                                                                1⤵
                                                                                                                  PID:2132
                                                                                                                • C:\Windows\explorer.exe
                                                                                                                  explorer.exe
                                                                                                                  1⤵
                                                                                                                    PID:3428
                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                    explorer.exe
                                                                                                                    1⤵
                                                                                                                      PID:4840
                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                      explorer.exe
                                                                                                                      1⤵
                                                                                                                        PID:184
                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                        explorer.exe
                                                                                                                        1⤵
                                                                                                                          PID:4548
                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                          explorer.exe
                                                                                                                          1⤵
                                                                                                                            PID:3692
                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                            explorer.exe
                                                                                                                            1⤵
                                                                                                                              PID:1164
                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                              explorer.exe
                                                                                                                              1⤵
                                                                                                                                PID:3940
                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                explorer.exe
                                                                                                                                1⤵
                                                                                                                                  PID:180
                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                  explorer.exe
                                                                                                                                  1⤵
                                                                                                                                    PID:3768
                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                    explorer.exe
                                                                                                                                    1⤵
                                                                                                                                      PID:1928
                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                      explorer.exe
                                                                                                                                      1⤵
                                                                                                                                        PID:3848
                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                        explorer.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:1008
                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                          explorer.exe
                                                                                                                                          1⤵
                                                                                                                                            PID:4176
                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                            explorer.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:4004
                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                              explorer.exe
                                                                                                                                              1⤵
                                                                                                                                                PID:2136
                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                explorer.exe
                                                                                                                                                1⤵
                                                                                                                                                  PID:3172
                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                  explorer.exe
                                                                                                                                                  1⤵
                                                                                                                                                    PID:3508
                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                    explorer.exe
                                                                                                                                                    1⤵
                                                                                                                                                      PID:224
                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                      explorer.exe
                                                                                                                                                      1⤵
                                                                                                                                                        PID:3388
                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                        explorer.exe
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1892

                                                                                                                                                        Network

                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                              Replay Monitor

                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                              Downloads

                                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                                                                                Filesize

                                                                                                                                                                471B

                                                                                                                                                                MD5

                                                                                                                                                                5e073f3db38266109bf345c993ef6906

                                                                                                                                                                SHA1

                                                                                                                                                                c9518440a270e9483f2b5acca00b449fbef6e055

                                                                                                                                                                SHA256

                                                                                                                                                                47b13d57e40acefccbef72ea6559525283ab52ba85b3f54c2d67da42b9737ed5

                                                                                                                                                                SHA512

                                                                                                                                                                bf7445777da7ce065c3e5e8a582bb2bdb448297668c7f11305a9ac2564e3d496d44ee5d094c1217dc61dc5a2f26ada6d5187a82ffc9f1d7bef9f0bd249bf00d2

                                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                                                                                Filesize

                                                                                                                                                                412B

                                                                                                                                                                MD5

                                                                                                                                                                e898d07565d7ec964475795d45b24e42

                                                                                                                                                                SHA1

                                                                                                                                                                85b228f2760548493a87aac5855b2a4655dc090f

                                                                                                                                                                SHA256

                                                                                                                                                                8ac2c0869a75cfb4685511ea3805e3e058f1c00b941a11ebb798e825d3596c40

                                                                                                                                                                SHA512

                                                                                                                                                                b93cbd3063fc93fcc13c707ceee6854c122357077b203de0bda3e980b3c75dd994744c3b967985d6d815fb28fba432000240d8a0cc9fb022b49983e645a03838

                                                                                                                                                              • C:\Users\Admin\AppData\Local\IconCache.db

                                                                                                                                                                Filesize

                                                                                                                                                                14KB

                                                                                                                                                                MD5

                                                                                                                                                                a821ad715f7ce301b3321b9d4f5ffd37

                                                                                                                                                                SHA1

                                                                                                                                                                7803f0285e5a190d23265fb3c4d5e759653c9e09

                                                                                                                                                                SHA256

                                                                                                                                                                a6c7ed0ee8d2821db97eb6de9f751d677ec4033166bc461491acde35d10fb81d

                                                                                                                                                                SHA512

                                                                                                                                                                c7ec24449391c383f2ac3cba950a6132168f95f954fde9a1963a479fa16173abe83d94bd5fcccbbd711c7490f77ce8884cc4b46f46422c2b8242db12cbc4e0f3

                                                                                                                                                              • C:\Users\Admin\AppData\Local\IconCache.db

                                                                                                                                                                Filesize

                                                                                                                                                                18KB

                                                                                                                                                                MD5

                                                                                                                                                                27ed58d59537a6ada696142defb38eb7

                                                                                                                                                                SHA1

                                                                                                                                                                93df03302eb57d068328cbc01a2d9979b6eb93ed

                                                                                                                                                                SHA256

                                                                                                                                                                94dfdf33d367a3ab91629d1734ce1894d91e0720c79b5db039b1be10f27f8371

                                                                                                                                                                SHA512

                                                                                                                                                                dd05b9efb8cdd14267c1499f3782592c54e98488c1dcf1de2d7d53a0d059e7d183402369e6c38a8f2fb496b1a7d7810ea3d69b41ada529cbb5ff2195d4bc7d4d

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                                                                                                                Filesize

                                                                                                                                                                1022B

                                                                                                                                                                MD5

                                                                                                                                                                977286f06621ec3ecd47d55bd83147e1

                                                                                                                                                                SHA1

                                                                                                                                                                f1bd929459ece55d33f029dc234716a9a4d9f956

                                                                                                                                                                SHA256

                                                                                                                                                                183b6a4473274d507e026c5367d54f0418c7693492fd7111372bb6f24d59e966

                                                                                                                                                                SHA512

                                                                                                                                                                c6c5ddcb2f04786626b5a2236d038148fa9b5c8c68d481b54ef7fb3654d849ff006d7c2cd246b2c8054d48147ecfef400443f639eaff029e64818c9419db59a4

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133735032689076371.txt

                                                                                                                                                                Filesize

                                                                                                                                                                74KB

                                                                                                                                                                MD5

                                                                                                                                                                3b63bf15fde5d754728eb9226732145f

                                                                                                                                                                SHA1

                                                                                                                                                                b8543abd00c1f5cd19f3af0319087a0df13fc0f4

                                                                                                                                                                SHA256

                                                                                                                                                                a268a7a18663b2c8a01d27f1c53f328ddf24f3889a5c678addc67fb5d889f62d

                                                                                                                                                                SHA512

                                                                                                                                                                ee24fc905ccf7180c0d2b5456ca402e5492c4f4b9d0b3982fdbe60796a9e0abc7635681889304c54dd2692a9480de593143ddb2102232f365d1374e587c97cd8

                                                                                                                                                              • memory/2336-62-0x000001D4B6610000-0x000001D4B6630000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                128KB

                                                                                                                                                              • memory/2336-40-0x000001D4B6200000-0x000001D4B6220000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                128KB

                                                                                                                                                              • memory/2336-31-0x000001D4B6240000-0x000001D4B6260000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                128KB

                                                                                                                                                              • memory/2336-26-0x000001D4B5200000-0x000001D4B5300000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                1024KB

                                                                                                                                                              • memory/2388-16-0x00000000009EB000-0x00000000009EC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                              • memory/2388-203-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-18-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-0-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-13-0x0000000000B50000-0x0000000000B60000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/2388-210-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-209-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-10-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-6-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-5-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-4-0x00000000009EB000-0x00000000009EC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                              • memory/2388-2-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-1-0x0000000000B50000-0x0000000000B60000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/2388-208-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-198-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-199-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-200-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-201-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-202-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-17-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-204-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-205-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-206-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2388-207-0x0000000000400000-0x0000000000A35000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                              • memory/2600-12-0x0000000004100000-0x0000000004101000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                              • memory/3064-196-0x0000000004340000-0x0000000004341000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                              • memory/5040-24-0x0000000004A30000-0x0000000004A31000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4KB