Analysis

  • max time kernel
    107s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 00:04

General

  • Target

    4fc1e30a4888ba22af0b315fe3fe0787_JaffaCakes118.exe

  • Size

    830KB

  • MD5

    4fc1e30a4888ba22af0b315fe3fe0787

  • SHA1

    76432e3c293a479e43ca3a996b0be963333a6aba

  • SHA256

    6d907f1ea22ca8f81d3259baf20b0db7dd1e0bdfa591a0529622326bccd8ba03

  • SHA512

    ca793fa294adeba25275dd5907a1c74ffc22b59df7aecc15b1bfa83bb2f88529ac581be736db3e5c14fbc3bf897ab70f32845a00a8f67a24725b99d8ae789a76

  • SSDEEP

    24576:TlZYhGV8zpOrAe1ETenGblx3JG/yHJpijbUcWrmb:TlZmGy8rAe1ETeyTJHHJpij

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 28 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fc1e30a4888ba22af0b315fe3fe0787_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4fc1e30a4888ba22af0b315fe3fe0787_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\ProgramData\privacy.exe
      C:\ProgramData\privacy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4456
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1480
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2608
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3044
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3108
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1172
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:4320
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
        PID:3608
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4880
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:2292
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3508
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          PID:3992
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3648
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4340
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          PID:3912
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        PID:3312
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        PID:1564
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:2516
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          PID:4376
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:4232
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies registry class
          PID:2156
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies registry class
          PID:4332
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:2348
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:1284
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          PID:4416
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          PID:3220
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:1220
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          PID:2796
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:3576
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          PID:2904
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:4012
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies registry class
          PID:4440
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:1964
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:4680
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:2952
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3628
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:1392
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:404
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4000
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              PID:4548
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:4712
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:4092
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:428
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    PID:4512
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    PID:4868
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Modifies registry class
                    PID:908
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                    • Modifies registry class
                    PID:1760
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                    • Modifies registry class
                    PID:4196
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Modifies registry class
                    PID:872
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    PID:1856
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:3952
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      PID:3440
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Modifies registry class
                      PID:4236
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      PID:1044
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      PID:1172
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      PID:3892
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Modifies registry class
                      PID:2292
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Modifies registry class
                      PID:5020
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Modifies registry class
                      PID:4520
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Modifies registry class
                      PID:4004
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:2648
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        PID:2264
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Modifies registry class
                        PID:1784
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        PID:3608
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Modifies registry class
                        PID:1636
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies registry class
                        PID:4104
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        PID:1416
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Modifies registry class
                        PID:1116
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        PID:1380
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Modifies registry class
                        PID:2024
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:2736
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          PID:3480
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Modifies registry class
                          PID:2064
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                          • Modifies registry class
                          PID:4340
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          PID:3104
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          PID:3812
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Modifies registry class
                          PID:3540
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          PID:4864
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:544
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Boot or Logon Autostart Execution: Active Setup
                            • Modifies registry class
                            PID:744
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Modifies registry class
                            PID:2448
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Boot or Logon Autostart Execution: Active Setup
                            • Modifies registry class
                            PID:2540
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                            • Boot or Logon Autostart Execution: Active Setup
                            PID:2512
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:4292
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              PID:732
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              PID:2176
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              PID:3932
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:4276
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                • Boot or Logon Autostart Execution: Active Setup
                                PID:4384
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                • Boot or Logon Autostart Execution: Active Setup
                                PID:804
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                • Boot or Logon Autostart Execution: Active Setup
                                PID:2080
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:5080
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                  • Boot or Logon Autostart Execution: Active Setup
                                  • Modifies registry class
                                  PID:4648
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:4040
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    • Modifies registry class
                                    PID:3096
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    PID:3580
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    PID:2740
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    PID:372
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    PID:2368
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Modifies registry class
                                    PID:2760
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    PID:4048
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    PID:4444
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:2356
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:1772
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:4684
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:1848
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:4124
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              1⤵
                                                PID:2916
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:3744
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:2728
                                                  • C:\Windows\explorer.exe
                                                    explorer.exe
                                                    1⤵
                                                      PID:1892
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:3716
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:4904
                                                        • C:\Windows\explorer.exe
                                                          explorer.exe
                                                          1⤵
                                                            PID:2888
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:3692
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:1524
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:4308
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:3816
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:1552
                                                                    • C:\Windows\explorer.exe
                                                                      explorer.exe
                                                                      1⤵
                                                                        PID:4516
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:2840
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:2692
                                                                          • C:\Windows\explorer.exe
                                                                            explorer.exe
                                                                            1⤵
                                                                              PID:4928
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:4812
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:180
                                                                                • C:\Windows\explorer.exe
                                                                                  explorer.exe
                                                                                  1⤵
                                                                                    PID:4924
                                                                                  • C:\Windows\explorer.exe
                                                                                    explorer.exe
                                                                                    1⤵
                                                                                      PID:2528
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:3772
                                                                                      • C:\Windows\explorer.exe
                                                                                        explorer.exe
                                                                                        1⤵
                                                                                          PID:1140
                                                                                        • C:\Windows\explorer.exe
                                                                                          explorer.exe
                                                                                          1⤵
                                                                                            PID:4460
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:2672
                                                                                            • C:\Windows\explorer.exe
                                                                                              explorer.exe
                                                                                              1⤵
                                                                                                PID:4700
                                                                                              • C:\Windows\explorer.exe
                                                                                                explorer.exe
                                                                                                1⤵
                                                                                                  PID:1020
                                                                                                • C:\Windows\explorer.exe
                                                                                                  explorer.exe
                                                                                                  1⤵
                                                                                                    PID:4892
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    explorer.exe
                                                                                                    1⤵
                                                                                                      PID:3364
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      explorer.exe
                                                                                                      1⤵
                                                                                                        PID:2548
                                                                                                      • C:\Windows\explorer.exe
                                                                                                        explorer.exe
                                                                                                        1⤵
                                                                                                          PID:2404
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          explorer.exe
                                                                                                          1⤵
                                                                                                            PID:2036
                                                                                                          • C:\Windows\explorer.exe
                                                                                                            explorer.exe
                                                                                                            1⤵
                                                                                                              PID:4948
                                                                                                            • C:\Windows\explorer.exe
                                                                                                              explorer.exe
                                                                                                              1⤵
                                                                                                                PID:3828
                                                                                                              • C:\Windows\explorer.exe
                                                                                                                explorer.exe
                                                                                                                1⤵
                                                                                                                  PID:4044
                                                                                                                • C:\Windows\explorer.exe
                                                                                                                  explorer.exe
                                                                                                                  1⤵
                                                                                                                    PID:2060

                                                                                                                  Network

                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • C:\ProgramData\privacy.exe

                                                                                                                          Filesize

                                                                                                                          807KB

                                                                                                                          MD5

                                                                                                                          97708f4fc871aa424234fb56d11a227d

                                                                                                                          SHA1

                                                                                                                          683f6b33d2fbf333f046ccf8a53843f8485efab8

                                                                                                                          SHA256

                                                                                                                          e66e99953ca14bf0c69dd842cc929ba5cc5a0cf46b2d5fd971235586008ce52c

                                                                                                                          SHA512

                                                                                                                          e5f7b0e40b4e7a80531ded2a2d5e8e4f8182707e144977a335d1e16aed7ae3ca767d53286e73a300e60151d7e8f534a3a5eb4f56d4067bdba314c449e8c44b52

                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                                          Filesize

                                                                                                                          471B

                                                                                                                          MD5

                                                                                                                          80f4b6c6abcad38e0c58949495a42797

                                                                                                                          SHA1

                                                                                                                          05c88d1b14e6d224926195356280863eb927bdb5

                                                                                                                          SHA256

                                                                                                                          22efdcfbd71feedb6b92414f7312ca8026308a7a22c45f0361328b90a581fb20

                                                                                                                          SHA512

                                                                                                                          f10054fd0b47cc402edf4db0dbbe6f8606976787713c4ec33fdd77abca68b33673dd4fb71ddc43ff168e5c0401a64dfc14b4d09563ce15cc191aca8d7818a475

                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                                          Filesize

                                                                                                                          412B

                                                                                                                          MD5

                                                                                                                          f5fe58172229a8401c9df5fe62e4b5d0

                                                                                                                          SHA1

                                                                                                                          5514f8070d6edde49e5c4303e6445656530442fd

                                                                                                                          SHA256

                                                                                                                          1425078919921179e3fcc26dc76c8ded513be704c5d18febbdeb564313edd95f

                                                                                                                          SHA512

                                                                                                                          be04d94b9d6cf4bfe6d3affa8b3fc4b8d08f4fd0d0c944b6c937129b82e78b06c7b952feba81f976bd6900a62898a32b8684a927b9cadfb73861b6f40d36f020

                                                                                                                        • C:\Users\Admin\AppData\Local\IconCache.db

                                                                                                                          Filesize

                                                                                                                          16KB

                                                                                                                          MD5

                                                                                                                          bde0ced8056691ffc10c9d8af9590a8a

                                                                                                                          SHA1

                                                                                                                          5a327af2aff1520b3882f1b79333afe1d0b8066e

                                                                                                                          SHA256

                                                                                                                          158586c132fe9adad46fba03df99f5d01a69c2703a41a88d592b6d5d381fc7b1

                                                                                                                          SHA512

                                                                                                                          cfc1117562b1dde06974231b31e751a6d6c810ce713ad1db351a119dd8a361cea2ad4153ebb3e70afde2b3a418bc84a29a09ae92169dadf3e341a3afe3448420

                                                                                                                        • C:\Users\Admin\AppData\Local\IconCache.db

                                                                                                                          Filesize

                                                                                                                          19KB

                                                                                                                          MD5

                                                                                                                          1a39376f474298b2b6c24947c4afd5f3

                                                                                                                          SHA1

                                                                                                                          3a7bded36720c3de4f2b2271d348b2db36844da9

                                                                                                                          SHA256

                                                                                                                          8ac6087d1b957abcb0293a0a7134aba7d63e24ec00c51f8c0e6f6106cc6513a7

                                                                                                                          SHA512

                                                                                                                          6a0364a3779373ca990e5c8262fcf16ca7556493dfe4548d1194739427d1c40f9fa69abf923bb802bf31ad01b4155fd303e83adbf43844e578539a91aae73da5

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                                                                          Filesize

                                                                                                                          1022B

                                                                                                                          MD5

                                                                                                                          83ccd2314306cd9c5cb88cc8636efb71

                                                                                                                          SHA1

                                                                                                                          9ee4d2cd6407025114eec0ad89770226268d56b9

                                                                                                                          SHA256

                                                                                                                          d9eeb91afb3512c1a8d86c692eba99d0e554bd712af5a7fe8088eceb68e76b09

                                                                                                                          SHA512

                                                                                                                          cd8a916e276e09f222f7ec89ac9b36d46cbcbf1427dad258f99bcbf46c3204048b1af626f5c50115077e6a5c38a5cb42174d0ffa0b601a58bd6a97d361b6cd38

                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133735970797910670.txt

                                                                                                                          Filesize

                                                                                                                          75KB

                                                                                                                          MD5

                                                                                                                          e67eb08fdd6dbe8e17d58ab260f1449d

                                                                                                                          SHA1

                                                                                                                          52a408fbb301e20782f57041b1396f189cdb45ee

                                                                                                                          SHA256

                                                                                                                          77c3eacbe50ca1be093d0b194b711645037ae94466290225973adeefdaad74d0

                                                                                                                          SHA512

                                                                                                                          56aa04a9c468a991ca1401eead4cb18a75332317b78c554640bb33df5be5bb955c907938c011440cf178d920dca6934a1b234a114235edc55132d887ee4d9940

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\{2ADC79C8-F15E-478F-9B3F-D63308DD4FE2}.png

                                                                                                                          Filesize

                                                                                                                          6KB

                                                                                                                          MD5

                                                                                                                          099ba37f81c044f6b2609537fdb7d872

                                                                                                                          SHA1

                                                                                                                          470ef859afbce52c017874d77c1695b7b0f9cb87

                                                                                                                          SHA256

                                                                                                                          8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

                                                                                                                          SHA512

                                                                                                                          837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

                                                                                                                        • C:\Users\Public\Desktop\Privacy Protection.lnk

                                                                                                                          Filesize

                                                                                                                          672B

                                                                                                                          MD5

                                                                                                                          29b7a9f327a737bc15aedca85e888401

                                                                                                                          SHA1

                                                                                                                          a87693554f9be16e02a2e32350d1597abc5d6bee

                                                                                                                          SHA256

                                                                                                                          51622f1a6ccbf828f7b4fa35bda3f50931dfbe020014ede086b2243c8297f38b

                                                                                                                          SHA512

                                                                                                                          f9d082c42ffa824b4034c481e5f75e74a43931b2451317031d3fc82e8824b1bf01574ddd47d557d1cfaff8379dd472878ca28dbb4b01f7e861030a03f5f54623

                                                                                                                        • memory/3044-29-0x0000000004C40000-0x0000000004C41000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4KB

                                                                                                                        • memory/3992-49-0x0000000004420000-0x0000000004421000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4KB

                                                                                                                        • memory/4216-0-0x00000000029C0000-0x00000000029C8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          32KB

                                                                                                                        • memory/4216-1-0x0000000000400000-0x00000000004DC000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          880KB

                                                                                                                        • memory/4216-23-0x0000000000400000-0x00000000004DC000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          880KB

                                                                                                                        • memory/4340-88-0x000002DB35810000-0x000002DB35830000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          128KB

                                                                                                                        • memory/4340-69-0x000002DB35400000-0x000002DB35420000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          128KB

                                                                                                                        • memory/4340-57-0x000002DB35440000-0x000002DB35460000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          128KB

                                                                                                                        • memory/4340-52-0x000002DB34400000-0x000002DB34500000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          1024KB

                                                                                                                        • memory/4456-188-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-185-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-195-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-15-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-16-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-14-0x00000000009F1000-0x00000000009F2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4KB

                                                                                                                        • memory/4456-34-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-183-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-184-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-186-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-187-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-33-0x00000000009F1000-0x00000000009F2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4KB

                                                                                                                        • memory/4456-189-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-190-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-191-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-192-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-193-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4456-194-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                        • memory/4880-41-0x00000000040C0000-0x00000000040C1000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4KB