Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 00:42
Behavioral task
behavioral1
Sample
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
General
-
Target
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe
-
Size
481KB
-
MD5
7b4594b4e4bd4e6c04f0f595cbe83176
-
SHA1
99f009e0aa9c8381c33cd1c15a262e69b6bd0ac9
-
SHA256
e8281de33a98377a2f482f952f5edac2002129656cec81bb9887f42f85d54a47
-
SHA512
d3f1442fa1e5fff4e5047928fe9e3244a186fd8c47fe2c5021454fcc21dc706bba0439e22f603d610c78faba8b7052a8f18df2a22223652a570eb7a394136bdb
-
SSDEEP
12288:Sl8E4w5huat7UovONzbXw9b1ZDBpXLJSIsD:wdhHwNzbXir9G
Malware Config
Extracted
Family
darkcomet
Botnet
jpg
C2
wormmm.zapto.org:1604
Mutex
DC_MUTEX-FP4VHDL
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Tzqw9TkaSLTW
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2808 attrib.exe 1084 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid Process 4928 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 2616 msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exemsdcsc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Processes:
resource yara_rule behavioral2/memory/2260-0-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/files/0x0007000000023cb9-11.dat upx behavioral2/memory/2260-69-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-80-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-81-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-82-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-83-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-84-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-85-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-86-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-87-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-88-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-89-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-90-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-91-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-92-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-93-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral2/memory/2616-94-0x0000000000400000-0x0000000000523000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
attrib.exeattrib.exenotepad.exemsdcsc.exenotepad.exe7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.execmd.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
Processes:
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid Process 2616 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeSecurityPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeSystemtimePrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeBackupPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeRestorePrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeShutdownPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeDebugPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeUndockPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeManageVolumePrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeImpersonatePrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: 33 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: 34 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: 35 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: 36 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2616 msdcsc.exe Token: SeSecurityPrivilege 2616 msdcsc.exe Token: SeTakeOwnershipPrivilege 2616 msdcsc.exe Token: SeLoadDriverPrivilege 2616 msdcsc.exe Token: SeSystemProfilePrivilege 2616 msdcsc.exe Token: SeSystemtimePrivilege 2616 msdcsc.exe Token: SeProfSingleProcessPrivilege 2616 msdcsc.exe Token: SeIncBasePriorityPrivilege 2616 msdcsc.exe Token: SeCreatePagefilePrivilege 2616 msdcsc.exe Token: SeBackupPrivilege 2616 msdcsc.exe Token: SeRestorePrivilege 2616 msdcsc.exe Token: SeShutdownPrivilege 2616 msdcsc.exe Token: SeDebugPrivilege 2616 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2616 msdcsc.exe Token: SeChangeNotifyPrivilege 2616 msdcsc.exe Token: SeRemoteShutdownPrivilege 2616 msdcsc.exe Token: SeUndockPrivilege 2616 msdcsc.exe Token: SeManageVolumePrivilege 2616 msdcsc.exe Token: SeImpersonatePrivilege 2616 msdcsc.exe Token: SeCreateGlobalPrivilege 2616 msdcsc.exe Token: 33 2616 msdcsc.exe Token: 34 2616 msdcsc.exe Token: 35 2616 msdcsc.exe Token: 36 2616 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid Process 2616 msdcsc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.execmd.execmd.exemsdcsc.exedescription pid Process procid_target PID 2260 wrote to memory of 4172 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 84 PID 2260 wrote to memory of 4172 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 84 PID 2260 wrote to memory of 4172 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 84 PID 2260 wrote to memory of 4284 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 85 PID 2260 wrote to memory of 4284 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 85 PID 2260 wrote to memory of 4284 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 85 PID 4172 wrote to memory of 2808 4172 cmd.exe 88 PID 4172 wrote to memory of 2808 4172 cmd.exe 88 PID 4172 wrote to memory of 2808 4172 cmd.exe 88 PID 4284 wrote to memory of 1084 4284 cmd.exe 89 PID 4284 wrote to memory of 1084 4284 cmd.exe 89 PID 4284 wrote to memory of 1084 4284 cmd.exe 89 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 4928 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 93 PID 2260 wrote to memory of 2616 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 94 PID 2260 wrote to memory of 2616 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 94 PID 2260 wrote to memory of 2616 2260 7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe 94 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 PID 2616 wrote to memory of 2288 2616 msdcsc.exe 95 -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2808 attrib.exe 1084 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\7b4594b4e4bd4e6c04f0f595cbe83176_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1084
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4928
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:2288
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d4536476e2f9c12fbe396404ea196738
SHA1c7e3b4fd447760d7fdd38e8299c3823f35426d87
SHA25600f5b508d763c59c7a2597dcb9f42f2f8f1330c5445d8ffdea0b8fe7bc8d555d
SHA512acc0c30d302623a1927270f6660f1bdac477b1867d67b7396173069d1d584c379deabaa95a070ff161bad6ae3a130cb642093651de6d2e2f0cf2bf626abcf1fc
-
Filesize
7KB
MD54e878c4daf9523b069dc22fd304cca78
SHA1e05d7c8117d99bdd9b3af1bf04d2af6c9613ed90
SHA2560a1b543f567d48e6223feab3e00df790aa0c124726136002829d7ea8c6e92f59
SHA5129688186f6c0aa01dbbeefd461810db1f70323f6939762c3967d266db18dbe74ce911bdddeecca1926db72fe67cc9d21dab7c0704c757e58cd429ec5cc84183df
-
Filesize
6KB
MD50f2c1dbb372e4d75e9e6e6ebbdb9fe66
SHA11f12dc2521b6bbed1b4931aed45973c7661b2934
SHA2565f8ac7ae4ed4e7a237027f2388e18fa9e9e01a4932e84cfaf0bfc29ec7354694
SHA512f688839d4abf2181191ac378b2b16980abc65cb3077d530d59dd91a9fa8d853daafa02d5b7836562a2fb41babb8de499af2cd2b2828d02fdadc0ba583a269905
-
Filesize
6KB
MD53402465b9fcad621164c064a66092a64
SHA1e8207f66a6132b5cd1f2044e7fd8e100c8c114d4
SHA256d780f763cb38b69c457da07f07eb68bb6581916509a635ce866c2cfff907ec97
SHA51241a520455c2168ef7e242ddebac0881d9e57155b7c068a2ede6077667cb0319722d08d929e43c142e650e2271af1e8d01011026ed4715f7a18d03ed482de5df6
-
Filesize
481KB
MD57b4594b4e4bd4e6c04f0f595cbe83176
SHA199f009e0aa9c8381c33cd1c15a262e69b6bd0ac9
SHA256e8281de33a98377a2f482f952f5edac2002129656cec81bb9887f42f85d54a47
SHA512d3f1442fa1e5fff4e5047928fe9e3244a186fd8c47fe2c5021454fcc21dc706bba0439e22f603d610c78faba8b7052a8f18df2a22223652a570eb7a394136bdb
