Overview
overview
10Static
static
3fcb5ec96e3...18.exe
windows7-x64
10fcb5ec96e3...18.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...lp.dll
windows7-x64
3$PLUGINSDI...lp.dll
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/File...er.exe
windows7-x64
3$TEMP/File...er.exe
windows10-2004-x64
3$TEMP/Quic...er.exe
windows7-x64
7$TEMP/Quic...er.exe
windows10-2004-x64
7OpenCandy/...lp.dll
windows7-x64
3OpenCandy/...lp.dll
windows10-2004-x64
7Unlocker.exe
windows7-x64
8Unlocker.exe
windows10-2004-x64
8UnlockerAssistant.exe
windows7-x64
3UnlockerAssistant.exe
windows10-2004-x64
3UnlockerCOM.dll
windows7-x64
3UnlockerCOM.dll
windows10-2004-x64
3UnlockerDriver5.sys
windows7-x64
1UnlockerDriver5.sys
windows10-2004-x64
1UnlockerHook.dll
windows7-x64
3UnlockerHook.dll
windows10-2004-x64
3uninst.exe
windows7-x64
10uninst.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
OpenCandy/OCSetupHlp.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
OpenCandy/OCSetupHlp.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Unlocker.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
Unlocker.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
UnlockerAssistant.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
UnlockerAssistant.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
UnlockerCOM.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
UnlockerCOM.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
UnlockerDriver5.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
UnlockerDriver5.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
UnlockerHook.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
UnlockerHook.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
uninst.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
uninst.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
fcb5ec96e3734ba744f85a82a323fe5f
-
SHA1
9e5ea5c38281d581230b43d84f08a16590b84d86
-
SHA256
f6b7aed9c264e53bbaf001e40205d1b38feafe5f51484ab9977fb9b2f4189bd9
-
SHA512
ddc651f3b81503c7cbd979d26b96ef896eabac41aff4ed7705975c5f2b64710f15b7f2f00f52ccdba71a0e404166e2c2eb0f2f978f0435170871fcc8480c9ed4
-
SSDEEP
24576:Zr4EwQDvqEuT76GOrfmvLNMWqiIhf80DdMhu1c/WyVvQodu:+cyf7DNMW0DK01lR
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5\ImagePath = "\\??\\C:\\Program Files (x86)\\Unlocker\\UnlockerDriver5.sys" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2120 UnlockerAssistant.exe 720 FileUnlocker_Installer.exe -
Loads dropped DLL 10 IoCs
pid Process 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 2120 UnlockerAssistant.exe 720 FileUnlocker_Installer.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UnlockerAssistant = "C:\\Program Files (x86)\\Unlocker\\UnlockerAssistant.exe" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UnlockerAssistant = "\"C:\\Program Files (x86)\\Unlocker\\UnlockerAssistant.exe\"" UnlockerAssistant.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\U: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\Z: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\J: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\L: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\R: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\Q: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\T: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\W: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\X: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\Y: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\G: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\I: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\K: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\V: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\E: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\M: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\O: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\H: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\N: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened (read-only) \??\P: fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1888-1-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-3-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-4-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-5-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-8-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-7-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-19-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-6-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-20-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-21-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-23-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-24-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-25-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-26-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-27-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-29-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-113-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-115-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-116-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-119-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-121-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-123-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-124-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-129-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-131-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-133-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-135-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-136-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-138-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-144-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-145-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-146-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-148-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-151-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-152-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-154-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-155-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-157-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-159-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/1888-160-0x0000000002340000-0x00000000033CE000-memory.dmp upx -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File created C:\Program Files (x86)\Unlocker\Unlocker.exe fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File created C:\Program Files (x86)\Unlocker\README.TXT fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File created C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File created C:\Program Files (x86)\Unlocker\UnlockerHook.dll fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File created C:\Program Files (x86)\Unlocker\UnlockerDriver5.sys fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File created C:\Program Files (x86)\Unlocker\UnlockerCOM.dll fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Unlocker\Unlocker.url fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe File created C:\Program Files (x86)\Unlocker\uninst.exe fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileUnlocker_Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UnlockerAssistant.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Program Files (x86)\\Unlocker\\UnlockerCOM.dll" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\software\classes\WOW6432Node\clsid\UnlockerShellExtension fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe Token: SeDebugPrivilege 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2120 UnlockerAssistant.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2120 UnlockerAssistant.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2120 UnlockerAssistant.exe 720 FileUnlocker_Installer.exe 720 FileUnlocker_Installer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 776 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 8 PID 1888 wrote to memory of 784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 9 PID 1888 wrote to memory of 1020 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 13 PID 1888 wrote to memory of 2712 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 45 PID 1888 wrote to memory of 2784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 46 PID 1888 wrote to memory of 3004 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 52 PID 1888 wrote to memory of 3520 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 56 PID 1888 wrote to memory of 3632 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 57 PID 1888 wrote to memory of 3832 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 58 PID 1888 wrote to memory of 3936 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 59 PID 1888 wrote to memory of 4048 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 60 PID 1888 wrote to memory of 3624 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 61 PID 1888 wrote to memory of 4228 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 62 PID 1888 wrote to memory of 4684 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 64 PID 1888 wrote to memory of 548 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 76 PID 1888 wrote to memory of 3280 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 81 PID 1888 wrote to memory of 776 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 8 PID 1888 wrote to memory of 784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 9 PID 1888 wrote to memory of 1020 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 13 PID 1888 wrote to memory of 2712 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 45 PID 1888 wrote to memory of 2784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 46 PID 1888 wrote to memory of 3004 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 52 PID 1888 wrote to memory of 3520 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 56 PID 1888 wrote to memory of 3632 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 57 PID 1888 wrote to memory of 3832 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 58 PID 1888 wrote to memory of 3936 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 59 PID 1888 wrote to memory of 4048 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 60 PID 1888 wrote to memory of 3624 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 61 PID 1888 wrote to memory of 4228 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 62 PID 1888 wrote to memory of 4684 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 64 PID 1888 wrote to memory of 548 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 76 PID 1888 wrote to memory of 3280 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 81 PID 1888 wrote to memory of 776 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 8 PID 1888 wrote to memory of 784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 9 PID 1888 wrote to memory of 1020 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 13 PID 1888 wrote to memory of 2712 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 45 PID 1888 wrote to memory of 2784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 46 PID 1888 wrote to memory of 3004 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 52 PID 1888 wrote to memory of 3520 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 56 PID 1888 wrote to memory of 3632 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 57 PID 1888 wrote to memory of 3832 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 58 PID 1888 wrote to memory of 3936 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 59 PID 1888 wrote to memory of 4048 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 60 PID 1888 wrote to memory of 3624 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 61 PID 1888 wrote to memory of 4228 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 62 PID 1888 wrote to memory of 4684 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 64 PID 1888 wrote to memory of 548 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 76 PID 1888 wrote to memory of 776 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 8 PID 1888 wrote to memory of 784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 9 PID 1888 wrote to memory of 1020 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 13 PID 1888 wrote to memory of 2712 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 45 PID 1888 wrote to memory of 2784 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 46 PID 1888 wrote to memory of 3004 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 52 PID 1888 wrote to memory of 3520 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 56 PID 1888 wrote to memory of 3632 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 57 PID 1888 wrote to memory of 3832 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 58 PID 1888 wrote to memory of 3936 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 59 PID 1888 wrote to memory of 4048 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 60 PID 1888 wrote to memory of 3624 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 61 PID 1888 wrote to memory of 4228 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 62 PID 1888 wrote to memory of 4684 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 64 PID 1888 wrote to memory of 548 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 76 PID 1888 wrote to memory of 2120 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 99 PID 1888 wrote to memory of 2120 1888 fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe 99 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2784
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3004
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1888 -
C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\FileUnlocker_Installer.exe"C:\Users\Admin\AppData\Local\Temp\FileUnlocker_Installer.exe" /silent3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:720
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4048
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4228
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4684
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:548
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3280
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5255e405d801cf01247390f38f92d8042
SHA15c80e7b634c10629b63d43083542a4b1b8603318
SHA256b0a4c2b6f40d7ad177dbd40c26b579d67cc9a95552970d9f6f0c7de372ce2a2f
SHA512a8cb3500c80b29a8f646dccf1b48baeac2c86ce2abca71b845b732dbf47f8603ff6d51b319217c2ad1f1314c5ff27bde5a9ad7d2a56363f74eefd275c9970b41
-
Filesize
10KB
MD549b6af547ed4ba1fb07bf6f384fda841
SHA1d865b17ead0c92339eeaa651c03a629ae5a5e031
SHA25686e8e34cfb71100cda06fe96573d832049cd18b1b251823139e935a1faefcbe8
SHA5126ea392a740bef18a770f3b86f691125dad7dcebf7972fcbacf06fdf04e09cd0717fb0705a303a6b245f66d399b4f4f31013b82cd6f0b0b52f90b88a9c5c18889
-
Filesize
4KB
MD5abbee3e367f6e6ed415d33c78121ffa9
SHA172ed524e769a9f8e72804c019a1cbf58f0d305a7
SHA256af36ab81c5befe41140a5da5f605361be18b55d6410da1cbf1bf7e0dcf52bc92
SHA512a01c955f3f60325c4aba28ea6c4c8c0d9f0b1a46928fccb37d38ad676eeaee8814fb15ca15ccb79739d63802bd850940e365cf542d2de1381276d22796f62c63
-
Filesize
726KB
MD5eafabf4ce7fe59b179962c4746e1e42e
SHA142f3fd854c7506e6b2179992055ac79801a05e88
SHA2563e79c1b5192b44c30973d4982088180b067e0f05affb2315c0471130ab73ae97
SHA51299f4163a1fd066225104234eba70f306050d0ca16c07498759cd79b65f30d13d774e4911176c90a306c04707ea0fcd5129db48476d3596cc9740ae5939caaf52
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
558B
MD571b4246e856769a9fa72f83516392baf
SHA15b5de50e57b9822c097552335133f33fec45b018
SHA25644ec3d3755da1650d3d45ea0be691e4df20514d5804cfeeb3aa7723664025c94
SHA512a0b85621d7e9d9b985f3313395721966c680ec9fecfbf3adab2f0be05f17a4a27b394bcb96a6cf73eb7f66e9524ebf5b583eb8a00a63aa3f7285c7b699e63ecd
-
Filesize
696B
MD5948dad18f0ff66523c860f71f3fe8a97
SHA1fffab6f910dd95354ca004d6aac24a9dc806ec03
SHA25645fac80562adc93749901e23601a7a709f1bfec401185d7db0763d6ea8697a66
SHA5127294d55128ca05e8d50869302f44db16b4cc42507229603508c0a1d34ed904de00b6982801aff4bd4a67daa33e42f8a5ea8ef9e4595867f715e9f3766c9174c6