modiloader | 6288dc2f60e9baa78b7d7c552799860ed18783f67a99cc49e99d67a28ed031c0

Analysis

max time kernel
146s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Size

814KB
MD5

789c6779ad26b3867d6a60e58672b327
SHA1

f8fb0ae7553887ffd9fb54ce33eca3b6b0cbb099
SHA256

6288dc2f60e9baa78b7d7c552799860ed18783f67a99cc49e99d67a28ed031c0
SHA512

5a01e7d8d0bc5f5a52baf6df9b3c43333af5ebbd9a18a4178e426db6c2407ada99a840549c5aff8cf7b56e2406c60eb771fede2794292165baf82e40cf3d9aed
SSDEEP

6144:G1SnWpE50M4YzKCtEvK+ufTq1tlasJYAtUrw7X0O5AKT06QIX+CKZJ60oJ8sQfyR:1nWpDM8uWjHeFzF7ShoS

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/memory/2584-26-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2584-25-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2584-103-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-129-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-128-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-131-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-130-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-234-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-237-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-241-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
1044	mstwain32.exe
2440	mstwain32.exe
2788	mstwain32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 set thread context of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1044 set thread context of 2440	1044	mstwain32.exe	39
PID 1044 set thread context of 2788	1044	mstwain32.exe	42

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-15-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2584-18-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2584-16-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2584-26-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2584-25-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2584-24-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2584-23-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2584-103-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-127-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-129-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-128-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-131-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-130-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-234-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-237-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2788-241-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mstwain32.exe	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	mstwain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX, 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Version\ = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CLSID\ = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\ = "Microsoft ListView Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\CLSID\ = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CurVer\ = "MSComctlLib.ImageListCtrl.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CLSID\ = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}\ = "TreeView General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CLSID\ = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\CLSID\ = "{DD9DA666-8594-11D1-B16A-00C0F0283628}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\ = "Microsoft TabStrip Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\CLSID\ = "{F08DF954-8592-11D1-B16A-00C0F0283628}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}\ = "Slider General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\CONTROL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
Token: SeBackupPrivilege	3040	vssvc.exe
Token: SeRestorePrivilege	3040	vssvc.exe
Token: SeAuditPrivilege	3040	vssvc.exe
Token: SeDebugPrivilege	2788	mstwain32.exe
Token: SeDebugPrivilege	2788	mstwain32.exe
Token: SeDebugPrivilege	2440	mstwain32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
2440	mstwain32.exe
2440	mstwain32.exe
2440	mstwain32.exe
2788	mstwain32.exe
2788	mstwain32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 1524 wrote to memory of 2716	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	30
PID 2716 wrote to memory of 2780	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	31
PID 2716 wrote to memory of 2780	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	31
PID 2716 wrote to memory of 2780	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	31
PID 2716 wrote to memory of 2780	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	31
PID 2716 wrote to memory of 2780	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	31
PID 2716 wrote to memory of 2780	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	31
PID 2716 wrote to memory of 2780	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	31
PID 2716 wrote to memory of 2960	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	32
PID 2716 wrote to memory of 2960	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	32
PID 2716 wrote to memory of 2960	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	32
PID 2716 wrote to memory of 2960	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	32
PID 2716 wrote to memory of 2960	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	32
PID 2716 wrote to memory of 2960	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	32
PID 2716 wrote to memory of 2960	2716	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	32
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 1524 wrote to memory of 2584	1524	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	33
PID 2584 wrote to memory of 1044	2584	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	38
PID 2584 wrote to memory of 1044	2584	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	38
PID 2584 wrote to memory of 1044	2584	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	38
PID 2584 wrote to memory of 1044	2584	JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe	38
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 1044 wrote to memory of 2440	1044	mstwain32.exe	39
PID 2440 wrote to memory of 2680	2440	mstwain32.exe	40
PID 2440 wrote to memory of 2680	2440	mstwain32.exe	40
PID 2440 wrote to memory of 2680	2440	mstwain32.exe	40
PID 2440 wrote to memory of 2680	2440	mstwain32.exe	40
PID 2440 wrote to memory of 2680	2440	mstwain32.exe	40
PID 2440 wrote to memory of 2680	2440	mstwain32.exe	40
PID 2440 wrote to memory of 2680	2440	mstwain32.exe	40
PID 2440 wrote to memory of 2776	2440	mstwain32.exe	41
PID 2440 wrote to memory of 2776	2440	mstwain32.exe	41
PID 2440 wrote to memory of 2776	2440	mstwain32.exe	41
PID 2440 wrote to memory of 2776	2440	mstwain32.exe	41
PID 2440 wrote to memory of 2776	2440	mstwain32.exe	41
PID 2440 wrote to memory of 2776	2440	mstwain32.exe	41
PID 2440 wrote to memory of 2776	2440	mstwain32.exe	41
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42
PID 1044 wrote to memory of 2788	1044	mstwain32.exe	42

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 MSCOMCTL.OCX /s
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2780
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 TABCTL32.OCX /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe"
  2⤵
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_789c6779ad26b3867d6a60e58672b327.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\mstwain32.exe
      "C:\Windows\mstwain32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 MSCOMCTL.OCX /s
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2680
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 TABCTL32.OCX /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
  - - C:\Windows\mstwain32.exe
      "C:\Windows\mstwain32.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\1cga[1].png

Filesize
4KB

MD5
8c2be93327d1a877a2a41327ab3d5a65

SHA1
8521286d5f290cacd1aed49ae9cac236dc8e63f0

SHA256
7410b1179b3e1b9cff5a78df292c327d6222af279968f311dec0011358de895f

SHA512
337935b887395309984efef9af36e907cdd8d0991b131f1b3949052d1faf9ad719d1da4aa45fcd1553aabd27bfd0184e5a925ef8cedf3f257fe16e5dca3ef5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\2oyr[1].png

Filesize
3KB

MD5
2a9e5dcc9576de5a8015f5084515786c

SHA1
db64486a0e387188995bf0726939e3cc9f6a3471

SHA256
06ef896725604dcc40a7566e82e0e6437631c757ea9c5f02990e6ed502ecb915

SHA512
2c8462c60ba4ede848d8997a9a24a3dec7e83caf5f2a332c99f281a6e20fdaca952c40a4b418847d00dff40aa1e97a3622b85ddc7a15e6fb1f594dc163a2b489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\8yops[1].png

Filesize
16KB

MD5
b4738389dc68a049d07fcd89a4d240ef

SHA1
a59e59c90df016b5683a85eb0b7eda92f3406a69

SHA256
97ef870fc05f9cb7c49549304fb04b51f3afe4e0ecf02abf5ec8fcd42f1a9543

SHA512
ccd9b96627dbf1acb9f5e4642fcca0d8b2ebfc9a12a4c352e1fee30f13d50edd66e1c89eaef23769b52113f5fc92e28cc256772b4f7cb9d91f876f256beae726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\atamsg[1].png

Filesize
6KB

MD5
01923e1e2b5201f2da8de9cdfe588e04

SHA1
1e47143de5aa6a138043831fa09ac708759be040

SHA256
fe654d41c65125961b78cf6fa75385a4ae3e72e2e573b2f79eefcf543a8bcdf3

SHA512
190e68d79423212ba3a2daf07c291af728d9cead989bc16de533c83c23e6e5757306cc90942041cf614fe9a4fc2b7aa4b8207d9284ade1d341a2c4ccbd5d79eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\cf-no-screenshot-error[1].png

Filesize
3KB

MD5
0d768cbc261841d3affc933b9ac3130e

SHA1
aff136a4c761e1df1ada7e5d9a6ed0ebea74a4b7

SHA256
1c53772285052e52bb7c12ad46a85a55747ed7bf66963fe1993fcef91ff5b0d0

SHA512
ce5b1bbb8cf6b0c3d1fa146d1700db2300abd6f2bdbe43ecaac6aebc911be6e1bcd2f8c6704a2cfa67bbb45598793ddec017e05c2c37ce387293aae08e7c342f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\hedef[1].png

Filesize
5KB

MD5
b5089c6afed491ff410d4ac30495fe4f

SHA1
6d7e9f16a715d2b9ae9d9449fcd22e4fc337da59

SHA256
796ef350689a967785160aff1567e9ea1e5a1099183e92fb14f5ecd224eee635

SHA512
7a39f17c62ec35544c913276496f5fd72aa800081b8cdbb29445b12ee6db7d1199fe9945c566a8adec5955351c990080a8e3ee8f82a255955d084bcac9828996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\0mka[1].png

Filesize
2KB

MD5
5e46cc6d93e6c37b282d4eacf07a7b84

SHA1
80855f201e4f8737cb4b18dca616ade12dcb0d4f

SHA256
d03276253628c9a0f28b954fef4132065b2993182ff454ffa31d82e77baa622c

SHA512
fc7309707532ad7075c9fdd306c22269897a220012289e98ce98b64011b4ab83f220849de6d6566b47c74675f448c5a44b5b14613f3188e7795b26748712b998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\5asi[1].png

Filesize
3KB

MD5
b72f3c639c6841ddaddac94091ec487e

SHA1
87d8a26bd50698f0d96e11a12146151ad5e0f27c

SHA256
f85640c546ffbd268a86c9ce1765c5c7378ea113615e65562e8f3cc53a313c28

SHA512
3efa8f74c3875b2ef31717f79e044134113d05990f9117c724395c4d72c2b2c91fe43f28e1565e68a56035398f0cf54942d51a1392a6d8da8445707ed1a3f991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\ET47IJ5Q.htm

Filesize
24KB

MD5
e10d97368f1cc6ff17d26e9efd46d738

SHA1
fc9996f170263a63c0e4403db26573bcb34c2ddb

SHA256
0e2a8c3195be3c689fc37dc52f9f06328b54709421e87167b9a77ed22d22e33f

SHA512
bec234d2e5dbd7b14bf4233ff8900b633fea808ca5a33b1fed751cbed40078759a9d0aa1d97a0d386f814b6b24ae12dcbdbb52c66f1ba58514a8d928c11d9935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\browser-bar[1].png

Filesize
715B

MD5
226dcb8f6144bdaafdfbd8f2f354be64

SHA1
3785cc5b3bf52f8e398177b0ff1020b24aa86b8c

SHA256
8c873472f4925d5d47521db4d52532d2983e9cb1bde8b43143a6cc6db56c35db

SHA512
ed898b12c4895f7aceaab443c1071e6376db71b4dfdbd769f5f3be71d562438a18b5e5dc36dd7cc610926e380603a894b2e81df4302680c736a412bfd3360d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\cf.errors[1].css

Filesize
23KB

MD5
5e8c69a459a691b5d1b9be442332c87d

SHA1
f24dd1ad7c9080575d92a9a9a2c42620725ef836

SHA256
84e3c77025ace5af143972b4a40fc834dcdfd4e449d4b36a57e62326f16b3091

SHA512
6db74b262d717916de0b0b600eead2cc6a10e52a9e26d701fae761fcbc931f35f251553669a92be3b524f380f32e62ac6ad572bea23c78965228ce9efb92ed42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\zback[1].png

Filesize
8KB

MD5
95220949e94593b2a0b2c74ca86e39db

SHA1
b0758052bc35ed327f5d0262d3f72f126844f781

SHA256
6b166c0214ea600130f7b9f532bf8b79c11af802f6703b05f5f80240593cfccc

SHA512
b189cb82d9dd67280aea56db6c079adc4f2104079e208ed5a250e41c01bf18976caf17c134cacc0cc8214b4b7ed38dd0108b1c7e43d32096985edb3ad93fbce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\1XC7M0WM.htm

Filesize
1KB

MD5
46f2c4e036dc64e235c6db7b3edde888

SHA1
6bf37f1b32cdbd454ef450d28105437db77ac005

SHA256
d015049da21bf4ecad409f4d9428cc517e5fd7bf7af0bdd11393d37c154a48bb

SHA512
4c1d3f5ee962f02866e144e00276ac73bb139029d5e81ba883f76b75d481028215bcb9a162751db684ff22dae778efbc0afeca25e2579cbc4cdccb9cf3cbd7ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\3loc[1].png

Filesize
2KB

MD5
bcb9f5e15d360be58a8d5ab52ede3ba8

SHA1
4e9870e1f57f95fc9e5a5893fd032017a28384f4

SHA256
4ffff046fedc1e074c00be2ec96c9f052261bb15954ed97fa2bd752c702eac19

SHA512
bde6b190e1cc0d5ad932695dffebb617c5374594eef83c50d088db8f30194d6eee9eae548a627cfe6361afa5957c06717dc44804ad38a4ff7a641b7974430c1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\4ted[1].png

Filesize
1KB

MD5
3754cc522d518740eade2419ccba3db3

SHA1
3e2006c05cc25092d23d084d57ee2e092dd0b90c

SHA256
e64012a2790ae9a288310a20303103a90b96a5c49888ba9b5ccb36fcb0b589a5

SHA512
9ac590c36be0ff88b1c18850ad1f6f07d887e4031b81f2620f9e010929e95706dc96ccf0a6024db44a9337a237da4e7abac0b2783eb45a0a36bf27cbb987099a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\dnserrordiagoff[1]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\ins[1].png

Filesize
1KB

MD5
608660160cf00bd6fdfae0769a2038a1

SHA1
605959b5d016eacda205b18a8abc6e0abdf2843a

SHA256
38f265c5d0a28dc454caa23fc269d06361beea823096e0fbf0daa6ca70a7dbbe

SHA512
e437402a4f7cedcb595cb7c9aa1aea4a7d318faf0f5f9ca21524550213fa3f97a135e8f83ec14653d665837cae54f8d194fe08bc6aa5b9b81f806922fc4edfa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\mlog[1].png

Filesize
724B

MD5
0cc72f05817be71a0e3073b035e4c3ff

SHA1
b3161fc72e955d016d56ec28d1030ca1201aeabf

SHA256
a55618ed4722df0226957d5654e301dcdb977986758bf46a1ddd77bf935c1fa3

SHA512
28eee91ad8fdc60ae4fe409e0550ea2c55f6cd388023575409d8aee79e049e3155ef1adc3331a8bb5cc502e4bf1a000d91bba1ddda61f411269e38e3ed07257c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\yenk[1].js

Filesize
3KB

MD5
f7a13430a84ab2a4046b96252b953211

SHA1
e130d015509ec6056a827fb24d532e4d9197577e

SHA256
5f6bdc4bdf47e8082cfe2067490c72ba167e6d95a4c7206e1cc3195aca789164

SHA512
d526d299ac4a165a59bd85599eadd6a0f678c823a48ebebc320a7ab292107d54e7e73766857f80390cea36060beb7b47f9fc8dd09bd89adedf484f7c8feb6377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\fbi[1].png

Filesize
1KB

MD5
da0f780c5f13a7ab93d0e8a93892bb69

SHA1
6830f338d8af0b375e4a2322915279869a09006f

SHA256
ba88e6030768cb953e0417c1a695c1648d1405960742bdec540bda1c49e568ad

SHA512
241dedcd9130f37bbdc0e69bcfb11c317ca496a4fabf6ed98c4dd80286670e0664d51d37fc90971337efba4afef2ba975cfd686478c72a3fcafa00e4ae9a4d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\logo[1].png

Filesize
4KB

MD5
218c0bfac4b2026646f1535c808a3b97

SHA1
f0c0533dbc4cefff3b6d0e395be0ea25d02769cf

SHA256
bf83e429ca4a1ca9bc3025e6bcbccfb4af8a0b82ebf2fff42884b0a5631575ed

SHA512
4d555227599ed024c922bb44984a34a8de286040cc4c34e26fa164bda04d06a22f05357d9394c9651bf671d6e7ae5ec79f4b7e5dfa12f94505775297eb69d872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\main[1].js

Filesize
8KB

MD5
de07b27fee0667a2828a989ed35223fd

SHA1
5e067908001f144e8088fbf8ab2227d1d1f67adb

SHA256
c98dc0ed7e03a30c7940120bc8a78266c6b90c0d93778f93f73d2660d799616d

SHA512
d88889685c1b670b4dee07d6da45c863269f88429a6b85ae97435ec28629dc74ca2581716745ec843e3ae0d191b1370fe380c3b0a0177efbfdfd8699bcebf49b

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
53a8700fc50ce8d4d63d31512de7748e

SHA1
e86816352b5ff62dfe176a8ee2b378b920c810b8

SHA256
f67ec0dcebdb116f14082d862419578c0f56542558d7cb922addee2f776f9c38

SHA512
7d65a8c2547ec97718b56f9cf88a99d205612da63c35db32574760b2afed897eb6ee979bb2fc002d472083d0bb6a4346486524229bc9ecc44123f1d6f494a554

Download Submit
C:\Windows\mstwain32.exe

Filesize
814KB

MD5
789c6779ad26b3867d6a60e58672b327

SHA1
f8fb0ae7553887ffd9fb54ce33eca3b6b0cbb099

SHA256
6288dc2f60e9baa78b7d7c552799860ed18783f67a99cc49e99d67a28ed031c0

SHA512
5a01e7d8d0bc5f5a52baf6df9b3c43333af5ebbd9a18a4178e426db6c2407ada99a840549c5aff8cf7b56e2406c60eb771fede2794292165baf82e40cf3d9aed

Download Submit
memory/1044-126-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1524-22-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2440-156-0x0000000007D80000-0x0000000007D8E000-memory.dmp

Filesize
56KB

Download
memory/2440-135-0x00000000042A0000-0x0000000005302000-memory.dmp

Filesize
16.4MB

Download
memory/2440-232-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2440-233-0x0000000007D80000-0x0000000007D8E000-memory.dmp

Filesize
56KB

Download
memory/2440-143-0x0000000003E60000-0x0000000003E8E000-memory.dmp

Filesize
184KB

Download
memory/2584-103-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-15-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-26-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-14-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-23-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2584-25-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2716-31-0x0000000005EF0000-0x0000000005F1E000-memory.dmp

Filesize
184KB

Download
memory/2716-2-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2716-30-0x0000000005EB0000-0x0000000005EED000-memory.dmp

Filesize
244KB

Download
memory/2716-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2716-7-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2716-27-0x00000000040F0000-0x0000000005152000-memory.dmp

Filesize
16.4MB

Download
memory/2716-4-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2716-198-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2716-11-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2788-130-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2788-131-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2788-136-0x0000000001E00000-0x0000000001E0E000-memory.dmp

Filesize
56KB

Download
memory/2788-127-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2788-128-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2788-129-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2788-234-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2788-237-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2788-236-0x0000000001E00000-0x0000000001E0E000-memory.dmp

Filesize
56KB

Download
memory/2788-235-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2788-241-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads