60f1af2b47786036ad2f16291e82da7b9b0d321450c1ef05a86b57a7ccb5cd07

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
Size

185KB
MD5

7a787470d6f62f1c877e9964fb86e513
SHA1

91ca45995b111f61ff3582d70e45136bfe0d3c7e
SHA256

60f1af2b47786036ad2f16291e82da7b9b0d321450c1ef05a86b57a7ccb5cd07
SHA512

167aa5bb3586eb565a7de49b1f823a249fadcc9cab3aa04eb25639030a3778cd8fb756b6a801dbb6e596cf3b6844519200082aa70188c046aa219ee28bac55d3
SSDEEP

3072:nwX6yB0YfnMqh88W+RhjLRHzAA5/RWbzAlzS4wh1JEgxitBOQPYPfWaNNrqniOfQ:nNk0YfJhjVLYR/1KgjgfAe5RmpzT

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe

Loads dropped DLL 8 IoCs

pid	Process
2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Screen Saver Pro 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\ScreenSaverPro.scr"	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ehokoo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ehokoo.exe"	mspaint.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\F:	mspaint.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2848	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442166901"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3992B01-CAB1-11EF-A88A-DE8CFA0D7791} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
Token: SeDebugPrivilege	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
Token: SeDebugPrivilege	2780	WerFault.exe
Token: SeDebugPrivilege	2848	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe
Token: SeDebugPrivilege	2792	svchost.exe
Token: SeDebugPrivilege	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
Token: SeDebugPrivilege	2668	mspaint.exe
Token: SeDebugPrivilege	1928	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2196	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2668	mspaint.exe
2668	mspaint.exe
2668	mspaint.exe
2668	mspaint.exe
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2848	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	30
PID 2776 wrote to memory of 2848	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	30
PID 2776 wrote to memory of 2848	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	30
PID 2776 wrote to memory of 2848	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	30
PID 2848 wrote to memory of 2780	2848	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe	31
PID 2848 wrote to memory of 2780	2848	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe	31
PID 2848 wrote to memory of 2780	2848	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe	31
PID 2848 wrote to memory of 2780	2848	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe	31
PID 2776 wrote to memory of 2792	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2776 wrote to memory of 2792	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2776 wrote to memory of 2792	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2776 wrote to memory of 2792	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2776 wrote to memory of 2792	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2776 wrote to memory of 2792	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2776 wrote to memory of 2792	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2776 wrote to memory of 2660	2776	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	33
PID 2792 wrote to memory of 2668	2792	svchost.exe	34
PID 2792 wrote to memory of 2668	2792	svchost.exe	34
PID 2792 wrote to memory of 2668	2792	svchost.exe	34
PID 2792 wrote to memory of 2668	2792	svchost.exe	34
PID 2660 wrote to memory of 2128	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	36
PID 2660 wrote to memory of 2128	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	36
PID 2660 wrote to memory of 2128	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	36
PID 2660 wrote to memory of 2128	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	36
PID 2128 wrote to memory of 2196	2128	iexplore.exe	37
PID 2128 wrote to memory of 2196	2128	iexplore.exe	37
PID 2128 wrote to memory of 2196	2128	iexplore.exe	37
PID 2128 wrote to memory of 2196	2128	iexplore.exe	37
PID 2196 wrote to memory of 1928	2196	IEXPLORE.EXE	38
PID 2196 wrote to memory of 1928	2196	IEXPLORE.EXE	38
PID 2196 wrote to memory of 1928	2196	IEXPLORE.EXE	38
PID 2196 wrote to memory of 1928	2196	IEXPLORE.EXE	38
PID 2660 wrote to memory of 2776	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	29
PID 2660 wrote to memory of 2776	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	29
PID 2660 wrote to memory of 2848	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	30
PID 2660 wrote to memory of 2848	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	30
PID 2660 wrote to memory of 2780	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	31
PID 2660 wrote to memory of 2780	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	31
PID 2660 wrote to memory of 2792	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2660 wrote to memory of 2792	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	32
PID 2660 wrote to memory of 2668	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	34
PID 2660 wrote to memory of 2668	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	34
PID 2660 wrote to memory of 2668	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	34
PID 2660 wrote to memory of 2668	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	34
PID 2660 wrote to memory of 2668	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	34
PID 2660 wrote to memory of 1928	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	38
PID 2660 wrote to memory of 1928	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	38
PID 2660 wrote to memory of 1928	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	38
PID 2660 wrote to memory of 1928	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	38
PID 2660 wrote to memory of 1928	2660	JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe	38

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 92
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe"
    3⤵
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a787470d6f62f1c877e9964fb86e513.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60712a314e2264686356b47ff13df94e

SHA1
96cf7d0f0bb0c79da9408ca86436f9ffee297a78

SHA256
b2bf492e1ef984bf63c22615aaf6257bdbd6a41b98266565c8b79aaf569f97c0

SHA512
2587e65cb42d69c2a1ddb1ba71a7e3952fede6de41ed9520727277bf74ebaac272af0e3686f4d8e93a2c6274bf428283ee4c16835bd7d6e3cc061c74221c4367

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bae8a6f32503b6157c32c9de121bc4c4

SHA1
268288d4999217ac79f665119ed441e7db8fd3ca

SHA256
4123af8ca849f661bf51791276b1eedab88f406a73747c48867f923703acce05

SHA512
b78fc43cad24d535247b282975d726b285e32cde4fa3d1be13840abbac9e6f981ef69e74dde4a6ecd87b73d82d468e3f174522836a009a6bfce607faf1b47b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e3ac107afeb6d3012c0db45dbf34b9

SHA1
774589e7411c36f6592ba5a54211fd9dc5dad9e1

SHA256
825b3ee129790e9900010e178ed9ac0e3418772187b9cc84a12c57ad31a5a370

SHA512
cfecf32de8b4e366c36cfe5cd9807539e2cc4be4affe1613f36ddaa7a986bb775220ac445b582505fad3173bf6d60611a052557f7c4f8f80525028a173cc99fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e7cf6825636555daacb25d6f3f8a1fc

SHA1
f1fbec3698273e41c31ac960d85d978a77430015

SHA256
486eb841f715fc685816460df4d8f7df19386336d5b9e3bd707fa38543f8a725

SHA512
4b4d5cf582609172c82870b541bbc4addf28de2598be9c6445930e1db3a543a97209f90cab8679ab789a3a37fd9ed6f155a11e9fd6bd0ba434ae8bc7c7df54a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3afe5381446ee4e74c0f3cef8d5bf7ee

SHA1
f26bc2ae64924c68c23461d52a5102860efd76f1

SHA256
a3ecce50e77b64e4afccb8f23afdb67971ac1b277bf71c00f2a7aa90138bc9f2

SHA512
975b049541186cb2780333b51d78964b4fec61f3eb2f7eab30620a6060286229660777acd9c6ec1077a92938b874f3a1eaf6f2c2c8fe00c3821965d0d56bdecf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
430472facf7891a6d2780594480d66f0

SHA1
c3b9e8e42d0688d4fdb376ae4d6ff213b47a0ddb

SHA256
31307dd86622fddc110af079aae0d9378cc82257fea884847231c09603cd4c95

SHA512
6de6f0a097a2537cd69e8930944291ef584a05242a207bde465f1211e50a893fc2f808d662adc93400ab7c7029b83aeabc2d052860fbd5f88f701fb1d4ebc4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf2b0c9e2c9fb2678c606c141734ae53

SHA1
ebb37c5abab2c351f2c212ec4b9b201d5055e9aa

SHA256
69de0052bd464abf0ba79633e36312688688c1204c3a775559c1b77401c58a6d

SHA512
f158f772b3a6377d6016989cdbb8eceb4e7a2043b1749ed4255d5af4dbe599f77f4f762f60d93121a91781bc7984bb930b0ec38307f915a000492c5eb2bc2b14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
886fa10c5aa946c59e152b8af3998670

SHA1
8a61153a17e69f3f10a5fb1c27992cac750134f6

SHA256
fa0d68a29f828b5dddca1563e8414c8cbac391ddf37899a4f867e5ca097bd516

SHA512
4c72391ab537dcc076f3e7cf63eb368c3eedbfc26246b7fb0aa4bb14d6f1da2423024572f21a5d45046fa02e703cf7d62d5f463241c9325ebbb4cd39da25ca40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0751b68411d54295994a7aa7d7097980

SHA1
362aa5f01f6e4f8c364d238c81cec41002b4e2d4

SHA256
b2caec248f52b043e3131737a23417ae2d01c5ba8212955f3de21936d53716a3

SHA512
a64c40a97d225500d629574c51752b13e936e1546d5b34c42e870351c825a3e571f6e1753aa5ef46a0a692ce46d135f9d4fa13487e8fad49041aa0f1ed0d62c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f079ac1e25fa02844f2b33b32994aa33

SHA1
8acae51f0ccb50938faf408429f6769af675f516

SHA256
193b594fb0c4b529b32e7d22f4693130bff375f7a9f24a64953d12fa76f66491

SHA512
f9bc832831a09e1d6e4b58b78557e761adae9e79691f919687d513fbb0844e246bff3b18a333fbb8097abf8bd5b6d5eba7058748293b4b07c7197b4e18ef6dc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c74d1277c7f47b3ad723311ff0b917ff

SHA1
ece1783929590ecd4b37c0b06e0890a57627b783

SHA256
a7bf22fe071eac9866f0ccf76192eae72efc018122a4a783d27844c7971ef484

SHA512
c18cca1f602e2fddd9d4a9f45cbe8e8600d8afd733641bc9ab8321c06837223fb7a88444595ab8f42dfcb918809f097273f16f4bf6acb530b3a1b5153e77889e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74d445eb7c3a93681d96fabbca03ae90

SHA1
744ac68081c700a7462cac990825cf13e5510cf3

SHA256
1034495c1bb4bcf57a940d7b8de332e9503b42cae6dcd1debe92e2723eeb2c37

SHA512
dc618f7e72b909bf2a3b3ef8f004af46b8bea3f2317cee077d885b6f5e828c3b5d188d297b685bb55788cb56f3c365e86bd84718e409f273ef79b861b009fca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be4669f2512adc19acb896aef903a96e

SHA1
f1ace4b289fc21baf47f99e2df329712d3ffb9c4

SHA256
6e4977ca8d4842823d1498c6bbdc74293dbde8bece72c7d20cc544aee6ae3340

SHA512
7c87fff2affa4b7c11c8d94afd49e3d30e4bae474d91fefedb9def8c3e4089480858b2dc0d3510e0e3aff1e1a330f1437e8f1229147d2da4ef8fe959703cac55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77d0b2db16a22ac8c4d1c702dcdeaa75

SHA1
6c9f359bfbe52a7509b758acd4bedcfbc0c34fcb

SHA256
c9adb61f8f19927803811ee85b5f2cfda8e7e52ed153b5095724b52af70df583

SHA512
94471dfd73da99dd6bd05269eebfaf1bd909b5b677157f98a9834d3e25418ec57016510fefdcde7ea572c2011d56ea0224eef9f60ab1a9c26b2a408c75b94a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8805443908c017922393b4d62b08c21

SHA1
0313f4019a471375755e6a4fa582884fbe952b82

SHA256
5be5bdc056df054bf11824dac0e944f1f992ff4105a965f45a5d01184946a0de

SHA512
2f0b6862f26edc889e1d2d06a49ce8c9cda9e7850cb4d7c7b6d26f69ccb7f22d8facea4e9d45bf818e04a487e6a4894b4f29a95be56620fa8dd07c0f4abe5061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0000dffae0dbb98745e9ce732ce58f47

SHA1
f58dd47e2dec3280faddba9862e586bca2e2b00d

SHA256
524b34816a5913554cb126677c232bd743086d41afb4849913559d1a1be59298

SHA512
fa15b31f9d7760f3bd99bb22c330d7bac7a5b64e8ca7d87f50e5f525dba08c13e4cad03e6bb6461d0dcd1ce3ae4d30f5219b6624ddbfa52ec4b697b0167d0e52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6211b766d985af45ff5c039acbf839e6

SHA1
2171c411f1bcd3f72f3f28d5fe1ce949e228a09d

SHA256
894d1b78474d10442c198607344b44b1ba56b78c89b13f65b702c5c1d7eac1b5

SHA512
a01d176c0f94f1f8f5f2af439255d4794133d5041eab2880bb6080daec78a86f9d474357b871abba88d8a72826ba97ac000e3d796cf3b942a20d8cf8982cd80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4533b0f782ff64006cd509dc4fcc4f74

SHA1
3188994f0037c816edfcaadcf5191d010167a3d6

SHA256
1905cae3c42801786a2446ae8080a2443956cc94d44de98e107e2e6aee55a691

SHA512
df3f4cb8960dc15cf6abf889704b07d69bcb26cfe1604cc3a7172f727336f985d8ecd3c45dcc173c1f22854849ad4fd734fa403e62150e97992654ca9e4e2d3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd8800e779de156364bfb79b601668ac

SHA1
f82f938ac2f7b3997dd6b40f10d86c1afd96cf10

SHA256
46dd268b7168e5db752eeb96e0fefd06b635565729a878fbd1c4ce5ce239b9e2

SHA512
009aef0b1f2cc8eba8f40e9c15f7cd6c5c74acce302ed3bf7574a507a8e326002808d344fcd4ece7aa98f4e829343ece488758d531c236d01b408452fe9cac3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83adb64b1d0ab90980a1b56bc9466f96

SHA1
33024cba29f06c69fd024d3b3f36a58413d75521

SHA256
158a8d00504d55279d3936961970008f856164783b661a5e24f18d2f3efab1a4

SHA512
c10a9188ffad8257fa83bb2119976dc6e3534034a985730c3f85a0f8065b0367e4349f3ebb88f28ef2981e8e6c56a53439d7f3dc82221365b3ec95d287912d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
937f2401bc0d0d9d5c2dc1b254539b82

SHA1
6b1a3d943581d17dbf4f3bb9822f8d72ef921059

SHA256
5335e4b6e0e66921700326eaba207458bba4248f0611429c819432767a0ae617

SHA512
b502e4279bce5cf977e4c3421477bc2ab3fae16ae0e795103ecd6cba4a60e83323659c3a62330a91662de126a6e8b9209bb99b31785427f718dca7a8cab08495

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d591364d8c57f79631b0477263ba4d1

SHA1
3e1a8350f75ecce33ee305d5a917deb0de676154

SHA256
04f527d7252b623773a22c4f509c5a1b092c4d3432cd4b610ef631111f899110

SHA512
123750be200f3cade3fd5eb3ac52f5ed659a62579b608d1b0a2d9361e0fa15ab2bc875d1d9575096d3e8d63beb51c30a8004dd8a092832354e31926374ce175b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5856c8c16a03de97e6e65b3a94cd0b4

SHA1
ef50520f1c0d0b4d03a5c216bf1180a857e7d6fc

SHA256
5279776ebeb243818696f1f435d0d9d5cd5f336000ec4dca1017921143b4069d

SHA512
e4d8bd4b1ed862d97a071861f2b0905d9063e6b5825ec060448526f75e2f5894002a811b4a36c0ba986e29a3cf47ecb90c82fcd24b3fda344bae18009627502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5812.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5844.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a787470d6f62f1c877e9964fb86e513mgr.exe

Filesize
60KB

MD5
cd963c64ad0bea4ca85a4819f6eefed1

SHA1
d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

SHA256
33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

SHA512
f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

Download Submit
memory/2660-28-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-41-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-34-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-32-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-30-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-444-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-26-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-45-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-46-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2660-74-0x0000000000290000-0x00000000002DE000-memory.dmp

Filesize
312KB

Download
memory/2776-87-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-9-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2776-80-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-51-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-83-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-73-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-76-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-38-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2776-70-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-18-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2776-964-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-85-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2776-89-0x0000000002EC0000-0x0000000002F0E000-memory.dmp

Filesize
312KB

Download
memory/2780-61-0x0000000002600000-0x000000000264E000-memory.dmp

Filesize
312KB

Download
memory/2792-21-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2792-22-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2792-23-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2792-25-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2792-66-0x00000000001F0000-0x000000000023E000-memory.dmp

Filesize
312KB

Download
memory/2792-580-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2848-56-0x0000000001F60000-0x0000000001FAE000-memory.dmp

Filesize
312KB

Download