Analysis
-
max time kernel
119s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:58
Behavioral task
behavioral1
Sample
b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b4b1f4fbbb091afee3b2dd39bf82b9e3
-
SHA1
3879eba887cf497cd941bdf9b6f02dc43be14e00
-
SHA256
a44813b730be6a099ea651c5ea49bd679c3caab2e3589b16bb042010304e59b3
-
SHA512
871d626ab65239c935506e904d9a51d1bd75041d9c0aa39d0737f150d7fb340a5ffb23278339d67abb2d0460d23af2a661a5e5a7c227a3d3d328a4256936deb0
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ8:0UzeyQMS4DqodCnoe+iitjWwwg
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe -
Executes dropped EXE 25 IoCs
pid Process 1056 explorer.exe 2960 explorer.exe 5220 spoolsv.exe 4904 spoolsv.exe 4696 spoolsv.exe 2488 spoolsv.exe 5840 spoolsv.exe 3768 spoolsv.exe 228 spoolsv.exe 4832 spoolsv.exe 5332 spoolsv.exe 768 spoolsv.exe 3624 spoolsv.exe 3980 spoolsv.exe 340 spoolsv.exe 6056 explorer.exe 4988 spoolsv.exe 5368 spoolsv.exe 3080 explorer.exe 4424 spoolsv.exe 6028 spoolsv.exe 3876 spoolsv.exe 5172 spoolsv.exe 5056 explorer.exe 5164 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 4620 set thread context of 4528 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 101 PID 1056 set thread context of 2960 1056 explorer.exe 104 PID 5220 set thread context of 340 5220 spoolsv.exe 117 PID 4904 set thread context of 5368 4904 spoolsv.exe 120 PID 4696 set thread context of 6028 4696 spoolsv.exe 123 PID 2488 set thread context of 5172 2488 spoolsv.exe 125 -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4528 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 4528 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4528 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 4528 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 340 spoolsv.exe 340 spoolsv.exe 5368 spoolsv.exe 5368 spoolsv.exe 6028 spoolsv.exe 6028 spoolsv.exe 5172 spoolsv.exe 5172 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4224 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 91 PID 4620 wrote to memory of 4224 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 91 PID 4620 wrote to memory of 4528 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 101 PID 4620 wrote to memory of 4528 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 101 PID 4620 wrote to memory of 4528 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 101 PID 4620 wrote to memory of 4528 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 101 PID 4620 wrote to memory of 4528 4620 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 101 PID 4528 wrote to memory of 1056 4528 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 102 PID 4528 wrote to memory of 1056 4528 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 102 PID 4528 wrote to memory of 1056 4528 b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe 102 PID 1056 wrote to memory of 2960 1056 explorer.exe 104 PID 1056 wrote to memory of 2960 1056 explorer.exe 104 PID 1056 wrote to memory of 2960 1056 explorer.exe 104 PID 1056 wrote to memory of 2960 1056 explorer.exe 104 PID 1056 wrote to memory of 2960 1056 explorer.exe 104 PID 2960 wrote to memory of 5220 2960 explorer.exe 105 PID 2960 wrote to memory of 5220 2960 explorer.exe 105 PID 2960 wrote to memory of 5220 2960 explorer.exe 105 PID 2960 wrote to memory of 4904 2960 explorer.exe 106 PID 2960 wrote to memory of 4904 2960 explorer.exe 106 PID 2960 wrote to memory of 4904 2960 explorer.exe 106 PID 2960 wrote to memory of 4696 2960 explorer.exe 107 PID 2960 wrote to memory of 4696 2960 explorer.exe 107 PID 2960 wrote to memory of 4696 2960 explorer.exe 107 PID 2960 wrote to memory of 2488 2960 explorer.exe 108 PID 2960 wrote to memory of 2488 2960 explorer.exe 108 PID 2960 wrote to memory of 2488 2960 explorer.exe 108 PID 2960 wrote to memory of 5840 2960 explorer.exe 109 PID 2960 wrote to memory of 5840 2960 explorer.exe 109 PID 2960 wrote to memory of 5840 2960 explorer.exe 109 PID 2960 wrote to memory of 3768 2960 explorer.exe 110 PID 2960 wrote to memory of 3768 2960 explorer.exe 110 PID 2960 wrote to memory of 3768 2960 explorer.exe 110 PID 2960 wrote to memory of 228 2960 explorer.exe 111 PID 2960 wrote to memory of 228 2960 explorer.exe 111 PID 2960 wrote to memory of 228 2960 explorer.exe 111 PID 2960 wrote to memory of 4832 2960 explorer.exe 112 PID 2960 wrote to memory of 4832 2960 explorer.exe 112 PID 2960 wrote to memory of 4832 2960 explorer.exe 112 PID 2960 wrote to memory of 5332 2960 explorer.exe 113 PID 2960 wrote to memory of 5332 2960 explorer.exe 113 PID 2960 wrote to memory of 5332 2960 explorer.exe 113 PID 2960 wrote to memory of 768 2960 explorer.exe 114 PID 2960 wrote to memory of 768 2960 explorer.exe 114 PID 2960 wrote to memory of 768 2960 explorer.exe 114 PID 2960 wrote to memory of 3624 2960 explorer.exe 115 PID 2960 wrote to memory of 3624 2960 explorer.exe 115 PID 2960 wrote to memory of 3624 2960 explorer.exe 115 PID 2960 wrote to memory of 3980 2960 explorer.exe 116 PID 2960 wrote to memory of 3980 2960 explorer.exe 116 PID 2960 wrote to memory of 3980 2960 explorer.exe 116 PID 5220 wrote to memory of 340 5220 spoolsv.exe 117 PID 5220 wrote to memory of 340 5220 spoolsv.exe 117 PID 5220 wrote to memory of 340 5220 spoolsv.exe 117 PID 5220 wrote to memory of 340 5220 spoolsv.exe 117 PID 5220 wrote to memory of 340 5220 spoolsv.exe 117 PID 340 wrote to memory of 6056 340 spoolsv.exe 118 PID 340 wrote to memory of 6056 340 spoolsv.exe 118 PID 340 wrote to memory of 6056 340 spoolsv.exe 118 PID 2960 wrote to memory of 4988 2960 explorer.exe 119 PID 2960 wrote to memory of 4988 2960 explorer.exe 119 PID 2960 wrote to memory of 4988 2960 explorer.exe 119 PID 4904 wrote to memory of 5368 4904 spoolsv.exe 120 PID 4904 wrote to memory of 5368 4904 spoolsv.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b1f4fbbb091afee3b2dd39bf82b9e3_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:340 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6056 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3264
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5368 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3080 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4768
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6028
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5172 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
PID:5056 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:840
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:116
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4260
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4512
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4356
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1960
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5616
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4832 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4872
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3056
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2852
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5300
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4596
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5408
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:224
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4992
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:5164 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5816
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4520
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:220
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5428
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5884
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1408
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4128
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2756
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5204
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4344
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4072
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5044
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:340
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5ca7b8a3e153273e6e807f7802f0358e2
SHA1511bc6259d5f31708200a17fbbe3b5558dee7910
SHA256411d8d059bdadbab41b580331b9d60f5e50c99bb7de4916e365267df2731040d
SHA512dce46b2bdbb31bed147a40f4d6d0d1f19111995462c28c6d6557ed202c6121a6646188f04f7f9edf5278c5a8727247457bf69ba1cd89edbc1eb2183db2acadb1
-
Filesize
2.2MB
MD566f3379e812e2cb72abdff3514ce6e73
SHA1e84e59c8ff36381f1c03b0cd0a18d8daf1abdefb
SHA2560f09d0a00e51cbe41becc248104ddee62353550a58cd53818ac081ed01c828fd
SHA51273861af0106775fde1243cac5b9232a353d82756033ca81deb62631bb7540a02dbc1b052ab42289e3755be3a8a308c5a496877b6c09afa9fb154f67e34309296