d4979877d317ac3ee167239f647f6a55a821cfac7875528e3bbecb7110f2f60b

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 09:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Size

297KB
MD5

494b4a4f6f9fc3d298619519417bac4a
SHA1

c1e1bda6a632ae178386b89da3a3d15d97ef9bca
SHA256

d4979877d317ac3ee167239f647f6a55a821cfac7875528e3bbecb7110f2f60b
SHA512

b81e78488654f27fb9c8725e4f0c1555eefabe8958a72dd36a90362689aebc990213f4aafc082baebe6f6683082aad0a7bac62365ca3854df36598db4e33f320
SSDEEP

6144:+O9jt6wZu8OGauB794zlvkuymdzXZIwaUPT3Pbkx:oQauB794zny3wpPbbkx

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1936-14-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx
behavioral2/memory/1936-16-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx
behavioral2/memory/1936-7-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx
behavioral2/memory/1936-23-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx
behavioral2/memory/1936-109-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx
behavioral2/memory/1936-141-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx
behavioral2/memory/1936-143-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx
behavioral2/memory/1936-145-0x00000000022B0000-0x00000000032DA000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 788	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	9
PID 1936 wrote to memory of 792	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	10
PID 1936 wrote to memory of 1012	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	13
PID 1936 wrote to memory of 2484	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	42
PID 1936 wrote to memory of 2504	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	43
PID 1936 wrote to memory of 2856	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	50
PID 1936 wrote to memory of 3500	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	56
PID 1936 wrote to memory of 3672	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	57
PID 1936 wrote to memory of 3852	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	58
PID 1936 wrote to memory of 3948	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	59
PID 1936 wrote to memory of 4016	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	60
PID 1936 wrote to memory of 2784	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	61
PID 1936 wrote to memory of 3692	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	62
PID 1936 wrote to memory of 476	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	64
PID 1936 wrote to memory of 4036	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	75
PID 1936 wrote to memory of 2760	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	80
PID 1936 wrote to memory of 1584	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	81
PID 1936 wrote to memory of 788	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	9
PID 1936 wrote to memory of 792	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	10
PID 1936 wrote to memory of 1012	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	13
PID 1936 wrote to memory of 2484	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	42
PID 1936 wrote to memory of 2504	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	43
PID 1936 wrote to memory of 2856	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	50
PID 1936 wrote to memory of 3500	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	56
PID 1936 wrote to memory of 3672	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	57
PID 1936 wrote to memory of 3852	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	58
PID 1936 wrote to memory of 3948	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	59
PID 1936 wrote to memory of 4016	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	60
PID 1936 wrote to memory of 2784	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	61
PID 1936 wrote to memory of 3692	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	62
PID 1936 wrote to memory of 476	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	64
PID 1936 wrote to memory of 4036	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	75
PID 1936 wrote to memory of 2760	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	80
PID 1936 wrote to memory of 2256	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	84
PID 1936 wrote to memory of 2684	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	85
PID 1936 wrote to memory of 788	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	9
PID 1936 wrote to memory of 792	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	10
PID 1936 wrote to memory of 1012	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	13
PID 1936 wrote to memory of 2484	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	42
PID 1936 wrote to memory of 2504	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	43
PID 1936 wrote to memory of 2856	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	50
PID 1936 wrote to memory of 3500	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	56
PID 1936 wrote to memory of 3672	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	57
PID 1936 wrote to memory of 3852	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	58
PID 1936 wrote to memory of 3948	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	59
PID 1936 wrote to memory of 4016	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	60
PID 1936 wrote to memory of 2784	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	61
PID 1936 wrote to memory of 3692	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	62
PID 1936 wrote to memory of 476	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	64
PID 1936 wrote to memory of 4036	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	75
PID 1936 wrote to memory of 2760	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	80
PID 1936 wrote to memory of 2256	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	84
PID 1936 wrote to memory of 2684	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	85
PID 1936 wrote to memory of 2324	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	86
PID 1936 wrote to memory of 2324	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	86
PID 1936 wrote to memory of 2324	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	86
PID 1936 wrote to memory of 2324	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	86
PID 1936 wrote to memory of 560	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	87
PID 1936 wrote to memory of 560	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	87
PID 1936 wrote to memory of 560	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	87
PID 1936 wrote to memory of 560	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	87
PID 1936 wrote to memory of 1280	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	88
PID 1936 wrote to memory of 1280	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	88
PID 1936 wrote to memory of 1280	1936	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe	88

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2856

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1936
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:560
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:476

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4036

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2760

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1584

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2256

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2684

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

backgroundTaskHost.exe

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=048D2B9D831D6CC408873F2082FD6D36; domain=.bing.com; expires=Sat, 09-Aug-2025 09:57:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 36ABA89F4631411E96C6DE4354E98D84 Ref B: LON04EDGE1111 Ref C: 2024-07-15T09:57:34Z
date: Mon, 15 Jul 2024 09:57:33 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

backgroundTaskHost.exe

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=048D2B9D831D6CC408873F2082FD6D36

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=EJMedmFab3OtLIkGBWd5LYJhxx4m9E6_Y-taYXBM_sI; domain=.bing.com; expires=Sat, 09-Aug-2025 09:57:34 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 30794B1A1DAD4D83AFB199F114C5E3C1 Ref B: LON04EDGE1111 Ref C: 2024-07-15T09:57:34Z
date: Mon, 15 Jul 2024 09:57:33 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

backgroundTaskHost.exe

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=048D2B9D831D6CC408873F2082FD6D36; MSPTC=EJMedmFab3OtLIkGBWd5LYJhxx4m9E6_Y-taYXBM_sI

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 11A1584A13FB45F5A8FBD41BDCB34B94 Ref B: LON04EDGE1111 Ref C: 2024-07-15T09:57:34Z
date: Mon, 15 Jul 2024 09:57:33 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

tls, http2

backgroundTaskHost.exe

2.0kB
9.3kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dfc4180194ae41079a150835f0d037f0&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

219 B
139 B
3
1

DNS Request

147.142.123.92.in-addr.arpa

DNS Request

147.142.123.92.in-addr.arpa

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsuDEE8.tmp\InstallOptions.dll

Filesize
12KB

MD5
07f3b3445f66e1089567796bf3c8be78

SHA1
851eb574c1067b23a654f8aa47b17ef599b24d1c

SHA256
a505e6c537a5ce0166227dda9f7671605395592ac9f1a3764e8a01b713939db1

SHA512
8c56308fff3a947b26fd0d98dbdd96c406ddf967f5d7abee8cba082b6c46a4e575094bb0bb981551ac5160bb5089cf6fb125dd17a659c427e28c07402adab1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuDEE8.tmp\LangDLL.dll

Filesize
5KB

MD5
2c3c8976d729d28478a789217a882291

SHA1
10c18b23fac957419547ef0f8ec3bc1b10e91e79

SHA256
799f91bdd59f2133bf195c5b4ca685ee91666d981a6bcd8a6c45b7c8ecc96eef

SHA512
749c650974f94cc5009124d3fa3d9bb1ee5824a3fa0a76b81733e08379678a2a1b7c54b77d1709fb6de24c81c68c03c0ec3e9ec5ccad0d30d9237300794f1213

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuDEE8.tmp\ioSpecial.ini

Filesize
696B

MD5
3ae54338f041d2ce4a56067b611ff32b

SHA1
fc6f45e62217d190dcd45e2c15718e2541a3669c

SHA256
1a983dbd14cd2407bb3df98ab266c1c72fecc2029aa2fac823101805bd7e0f4c

SHA512
d40c10cf14574271a376e15abf8473098ec0470e6b255150a64fda54301c2dea8d393909f1a9dc307d1f4fc5661ce34772f6e3ebc4f0f35b29893f3b7e86e899

Download Submit
memory/560-149-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/560-146-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/1280-151-0x0000000000EE0000-0x0000000000EF4000-memory.dmp

Filesize
80KB

Download
memory/1280-150-0x0000000000EE0000-0x0000000000EF4000-memory.dmp

Filesize
80KB

Download
memory/1936-109-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-145-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-23-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-16-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-14-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-113-0x0000000005A60000-0x0000000005A62000-memory.dmp

Filesize
8KB

Download
memory/1936-114-0x0000000005A60000-0x0000000005A62000-memory.dmp

Filesize
8KB

Download
memory/1936-168-0x0000000005A60000-0x0000000005A62000-memory.dmp

Filesize
8KB

Download
memory/1936-18-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1936-141-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-143-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-17-0x0000000004760000-0x0000000004762000-memory.dmp

Filesize
8KB

Download
memory/1936-7-0x00000000022B0000-0x00000000032DA000-memory.dmp

Filesize
16.2MB

Download
memory/1936-20-0x0000000004760000-0x0000000004762000-memory.dmp

Filesize
8KB

Download
memory/1936-148-0x0000000004760000-0x0000000004762000-memory.dmp

Filesize
8KB

Download
memory/1936-19-0x0000000004760000-0x0000000004762000-memory.dmp

Filesize
8KB

Download
memory/2324-140-0x0000000000910000-0x0000000000924000-memory.dmp

Filesize
80KB

Download
memory/2324-139-0x0000000000910000-0x0000000000924000-memory.dmp

Filesize
80KB

Download
memory/4704-156-0x0000000000BA0000-0x0000000000BB4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.