Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 17:04
Behavioral task
behavioral1
Sample
013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
013e1cfb58659275939c7aed074adc61
-
SHA1
6b7bb5e9d642cc8040cb6b99d7cae2514ee5923e
-
SHA256
bf70afa2e5a6f9f55ebd57f423c0eefce372f00e2c0778e129e570d24459ad1d
-
SHA512
9f6ba59e605700b668251214c3df45213fdf1ab3da3c9a71737f560b0af4ce28edbf780ed7f70d59cff049b4b0c2f4c7605349f4b7f964f4a1abeada8ccf504d
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwC
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe -
Executes dropped EXE 24 IoCs
pid Process 4612 explorer.exe 3348 explorer.exe 5044 spoolsv.exe 1268 spoolsv.exe 3264 spoolsv.exe 2164 spoolsv.exe 4960 spoolsv.exe 3468 spoolsv.exe 1692 spoolsv.exe 3048 spoolsv.exe 3260 spoolsv.exe 5024 spoolsv.exe 4356 spoolsv.exe 2236 spoolsv.exe 1188 spoolsv.exe 1096 spoolsv.exe 3548 explorer.exe 4024 spoolsv.exe 1516 spoolsv.exe 2156 spoolsv.exe 2348 spoolsv.exe 3968 explorer.exe 4952 spoolsv.exe 2060 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 380 set thread context of 3860 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 101 PID 4612 set thread context of 3348 4612 explorer.exe 104 PID 5044 set thread context of 1096 5044 spoolsv.exe 118 PID 1268 set thread context of 1516 1268 spoolsv.exe 121 PID 3264 set thread context of 2348 3264 spoolsv.exe 123 PID 2164 set thread context of 2060 2164 spoolsv.exe 126 -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 3860 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 3860 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3860 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 3860 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 3348 explorer.exe 1096 spoolsv.exe 1096 spoolsv.exe 1516 spoolsv.exe 1516 spoolsv.exe 2348 spoolsv.exe 2348 spoolsv.exe 2060 spoolsv.exe 2060 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 380 wrote to memory of 4104 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 91 PID 380 wrote to memory of 4104 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 91 PID 380 wrote to memory of 3860 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 101 PID 380 wrote to memory of 3860 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 101 PID 380 wrote to memory of 3860 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 101 PID 380 wrote to memory of 3860 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 101 PID 380 wrote to memory of 3860 380 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 101 PID 3860 wrote to memory of 4612 3860 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 102 PID 3860 wrote to memory of 4612 3860 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 102 PID 3860 wrote to memory of 4612 3860 013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe 102 PID 4612 wrote to memory of 3348 4612 explorer.exe 104 PID 4612 wrote to memory of 3348 4612 explorer.exe 104 PID 4612 wrote to memory of 3348 4612 explorer.exe 104 PID 4612 wrote to memory of 3348 4612 explorer.exe 104 PID 4612 wrote to memory of 3348 4612 explorer.exe 104 PID 3348 wrote to memory of 5044 3348 explorer.exe 105 PID 3348 wrote to memory of 5044 3348 explorer.exe 105 PID 3348 wrote to memory of 5044 3348 explorer.exe 105 PID 3348 wrote to memory of 1268 3348 explorer.exe 106 PID 3348 wrote to memory of 1268 3348 explorer.exe 106 PID 3348 wrote to memory of 1268 3348 explorer.exe 106 PID 3348 wrote to memory of 3264 3348 explorer.exe 107 PID 3348 wrote to memory of 3264 3348 explorer.exe 107 PID 3348 wrote to memory of 3264 3348 explorer.exe 107 PID 3348 wrote to memory of 2164 3348 explorer.exe 108 PID 3348 wrote to memory of 2164 3348 explorer.exe 108 PID 3348 wrote to memory of 2164 3348 explorer.exe 108 PID 3348 wrote to memory of 4960 3348 explorer.exe 109 PID 3348 wrote to memory of 4960 3348 explorer.exe 109 PID 3348 wrote to memory of 4960 3348 explorer.exe 109 PID 3348 wrote to memory of 3468 3348 explorer.exe 110 PID 3348 wrote to memory of 3468 3348 explorer.exe 110 PID 3348 wrote to memory of 3468 3348 explorer.exe 110 PID 3348 wrote to memory of 1692 3348 explorer.exe 111 PID 3348 wrote to memory of 1692 3348 explorer.exe 111 PID 3348 wrote to memory of 1692 3348 explorer.exe 111 PID 3348 wrote to memory of 3048 3348 explorer.exe 112 PID 3348 wrote to memory of 3048 3348 explorer.exe 112 PID 3348 wrote to memory of 3048 3348 explorer.exe 112 PID 3348 wrote to memory of 3260 3348 explorer.exe 113 PID 3348 wrote to memory of 3260 3348 explorer.exe 113 PID 3348 wrote to memory of 3260 3348 explorer.exe 113 PID 3348 wrote to memory of 5024 3348 explorer.exe 114 PID 3348 wrote to memory of 5024 3348 explorer.exe 114 PID 3348 wrote to memory of 5024 3348 explorer.exe 114 PID 3348 wrote to memory of 4356 3348 explorer.exe 115 PID 3348 wrote to memory of 4356 3348 explorer.exe 115 PID 3348 wrote to memory of 4356 3348 explorer.exe 115 PID 3348 wrote to memory of 2236 3348 explorer.exe 116 PID 3348 wrote to memory of 2236 3348 explorer.exe 116 PID 3348 wrote to memory of 2236 3348 explorer.exe 116 PID 3348 wrote to memory of 1188 3348 explorer.exe 117 PID 3348 wrote to memory of 1188 3348 explorer.exe 117 PID 3348 wrote to memory of 1188 3348 explorer.exe 117 PID 5044 wrote to memory of 1096 5044 spoolsv.exe 118 PID 5044 wrote to memory of 1096 5044 spoolsv.exe 118 PID 5044 wrote to memory of 1096 5044 spoolsv.exe 118 PID 5044 wrote to memory of 1096 5044 spoolsv.exe 118 PID 5044 wrote to memory of 1096 5044 spoolsv.exe 118 PID 1096 wrote to memory of 3548 1096 spoolsv.exe 119 PID 1096 wrote to memory of 3548 1096 spoolsv.exe 119 PID 1096 wrote to memory of 3548 1096 spoolsv.exe 119 PID 3348 wrote to memory of 4024 3348 explorer.exe 120 PID 3348 wrote to memory of 4024 3348 explorer.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\013e1cfb58659275939c7aed074adc61_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3548 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4608
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1268 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2348 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
PID:3968 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5112
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2164 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3844
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3396
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1676
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2296
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:212
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4168
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2108
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3260 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:992
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:220
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4704
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1864
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3228
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2236 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1844
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3528
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1188 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4004
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1640
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4136
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2156 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1880
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1340
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4952 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3144
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4568
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3872
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3368
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1476
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1412
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2836
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4388
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2784
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3952
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4184
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4760
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2876
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4268
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:620
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2328
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:4816
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5bf876eaea1be685cb508684fc8609210
SHA19e7f3dc50c42d6a9c543ba3001dfd69cf38d9294
SHA256608b4bc934e7d132942372523a6adbe59113c66db5cda700398e72aa6ace4228
SHA512122425200b77f67dad24728b8655b8fc934d80035f04dead7bccf37a57c89fc04eb2df76dff7d5de4bc268d1f8ba0b0cc5704ed420e7d0e8ca012bf94b832597
-
Filesize
2.2MB
MD5ce8ca6da2a7f5de4658dea64b6b30679
SHA1d8a833de5510c379264188953a8487cefd10b698
SHA256b2ca8f883960bc9a7718e5256bc46802d6ad67c3eb4af1595541b219fc90c163
SHA5124b64b2758c23876c8b59cc277cfcc8d7c59021ae9ba19ec3f79ef91f7e12e0a347856d0cd821f169a45a949e00476932d5ba6544c0a616c296d68d66a536f8a9