306fc98129e45d0bc3a4533c22dc2ca84c76ec4dcbeaaa3d8afe8a68b5913453

Analysis

max time kernel
129s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2025 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Size

281KB
MD5

136006896fe90c65ae2208242b1ba7a7
SHA1

8fbb02a2bc31213c2430f7f60ef479716b23ea10
SHA256

306fc98129e45d0bc3a4533c22dc2ca84c76ec4dcbeaaa3d8afe8a68b5913453
SHA512

a692d9ced555e59c49d98edfe74071441e93f162de2a73de029de9650b5112f4e10ca8fc22589ac12c9fec421fd166bbb58c960dc9e79485b825a13cdf515276
SSDEEP

6144:gScrL/4mp8D6WGc/YSlIipBReubLzeh7Yy0DMId6XijX:xcIy78QSVnNyhsFMC6SjX

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	server.exe

Executes dropped EXE 4 IoCs

pid	Process
1800	server.exe
1868	server.exe
4400	server.exe
2100	server.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3108-3-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral2/memory/3108-2-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral2/memory/3108-6-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/3108-63-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/3268-68-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/1528-152-0x0000000010590000-0x0000000010602000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2872	3268	WerFault.exe	88
340	1528	WerFault.exe	93
1444	896	WerFault.exe	97
1452	1868	WerFault.exe	101
4416	5052	WerFault.exe	105
4088	2100	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
1800	server.exe
1800	server.exe
4400	server.exe
4400	server.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
1800	server.exe
4400	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56
PID 3108 wrote to memory of 3500	3108	JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 828
      4⤵
      Program crash
      PID:2872
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:976
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_136006896fe90c65ae2208242b1ba7a7.exe"
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 500
      4⤵
      Program crash
      PID:340
- - C:\Windows\SysWOW64\install\server.exe
    "C:\Windows\system32\install\server.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1800
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 812
        5⤵
        Program crash
        
        PID:1444
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\SysWOW64\install\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 540
        5⤵
        Program crash
        
        PID:1452
  - - C:\Users\Admin\AppData\Roaming\install\server.exe
      "C:\Users\Admin\AppData\Roaming\install\server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:4400
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 812
        6⤵
        Program crash
        
        PID:4416
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4960
    - - C:\Users\Admin\AppData\Roaming\install\server.exe
        
        "C:\Users\Admin\AppData\Roaming\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 508
        6⤵
        Program crash
        
        PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3268 -ip 3268
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1528 -ip 1528
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 896 -ip 896
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1868 -ip 1868
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5052 -ip 5052
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2100 -ip 2100
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
236KB

MD5
17d838dc611ee7267e1717f846d1d7a5

SHA1
813a776faf061a3124048ad850a4d5832555677e

SHA256
e71b12b00433b10fc47ed34eaac025cf299838125fd458d0d013c2d57bdd8153

SHA512
3ef09354e2ce23937f03c373bf54a72a861c3f27a24fbd054843b1916230016662aae6fa77ac4fce459a565e887597bb33b9bc809f66a3a103c73d2540a982fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
236KB

MD5
a0e080b84a963dba717dcf2cc094b0cb

SHA1
ac6a73ef55a44a57ba2f592adda673905447138f

SHA256
3a42a0cff1be19810323ab0780a841b11d66d5b51575ad0768d1b28d766a0671

SHA512
17e954fe3343e81bbacb93a12e141327eaac73d0d2714187b46af34771da6381dfb61a4651d22546b3ebdf1da622ef22a7f15fa5731cd759fd81fc9fc317c1d3

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
281KB

MD5
136006896fe90c65ae2208242b1ba7a7

SHA1
8fbb02a2bc31213c2430f7f60ef479716b23ea10

SHA256
306fc98129e45d0bc3a4533c22dc2ca84c76ec4dcbeaaa3d8afe8a68b5913453

SHA512
a692d9ced555e59c49d98edfe74071441e93f162de2a73de029de9650b5112f4e10ca8fc22589ac12c9fec421fd166bbb58c960dc9e79485b825a13cdf515276

Download Submit
memory/1528-152-0x0000000010590000-0x0000000010602000-memory.dmp

Filesize
456KB

Download
memory/3108-3-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/3108-2-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/3108-6-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/3108-63-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/3268-8-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3268-7-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3268-68-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download