Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2024 07:10
Behavioral task
behavioral1
Sample
afa960d772a3025176774141b7171fac_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
afa960d772a3025176774141b7171fac_JaffaCakes118.exe
-
Size
987KB
-
MD5
afa960d772a3025176774141b7171fac
-
SHA1
8e40f89dd9a54938c1bdbe71e88c68d316d49ff5
-
SHA256
deef8627aa367994fa3e80cf2341e40cc5e76cbed492b0a0e57a60965a30d495
-
SHA512
1dc46fb8628454f1dce890569a27f0619e604427e0458cdf46e7645908fc00e0136ca6699c7a4faf2c9b8dac9fcc4c0680161f0081992f5d64b4fbf157c48836
-
SSDEEP
24576:1tARHJKlrUqX5MOnTm+CFO4QvQVTTY6Eb5S:1tAR8GqXlnS+CnQvATT2S
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" DFNER.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate DFNER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation afa960d772a3025176774141b7171fac_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DFNER.exe -
Executes dropped EXE 4 IoCs
pid Process 2248 DFNER.exe 464 DFNER.exe 3952 winupdate.exe 4000 winupdate.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" DFNER.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1028-24-0x0000000000400000-0x00000000004AC000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2248 set thread context of 464 2248 DFNER.exe 85 PID 3952 set thread context of 4000 3952 winupdate.exe 89 -
resource yara_rule behavioral2/memory/1028-0-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral2/memory/1028-24-0x0000000000400000-0x00000000004AC000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\zqThuSoVPZpYu.rpx winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa960d772a3025176774141b7171fac_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DFNER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DFNER.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DFNER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier DFNER.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DFNER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DFNER.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier DFNER.exe -
Modifies registry class 44 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ = "_jRPkUyJabSTyj" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ProxyStubClsid32 DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\TypeLib\Version = "1.0" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DFNER.exe" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ = "jRPkUyJabSTyj" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\ = "KTBrvKLEhmZrN" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\VERSION DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ProxyStubClsid DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\Programmable DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674} DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\FLAGS DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\0\win32 DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\TypeLib DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\ProgID\ = "KTBrvKLEhmZrN.jRPkUyJabSTyj" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0 DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DFNER.exe" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\VERSION\ = "1.0" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KTBrvKLEhmZrN.jRPkUyJabSTyj\ = "KTBrvKLEhmZrN.jRPkUyJabSTyj" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C} DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ProxyStubClsid32 DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\TypeLib DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\TypeLib\ = "{11A5EF5F-3700-445F-84EF-391EFC098674}" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KTBrvKLEhmZrN.jRPkUyJabSTyj DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\Implemented Categories DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KTBrvKLEhmZrN.jRPkUyJabSTyj\Clsid\ = "{B4C7CEAC-2530-4E75-A626-3BDF747C8253}" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\TypeLib DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\TypeLib\ = "{11A5EF5F-3700-445F-84EF-391EFC098674}" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\TypeLib\Version = "1.0" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253} DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\ = "KTBrvKLEhmZrN.jRPkUyJabSTyj" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KTBrvKLEhmZrN.jRPkUyJabSTyj\Clsid DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\ = "_jRPkUyJabSTyj" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\ProgID DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4C7CEAC-2530-4E75-A626-3BDF747C8253}\LocalServer32 DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\FLAGS\ = "0" DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\0 DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A5EF5F-3700-445F-84EF-391EFC098674}\1.0\HELPDIR DFNER.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C} DFNER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C2D265F-E3BA-469D-A1CC-F4901A5D264C}\TypeLib\ = "{11A5EF5F-3700-445F-84EF-391EFC098674}" DFNER.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 464 DFNER.exe Token: SeSecurityPrivilege 464 DFNER.exe Token: SeTakeOwnershipPrivilege 464 DFNER.exe Token: SeLoadDriverPrivilege 464 DFNER.exe Token: SeSystemProfilePrivilege 464 DFNER.exe Token: SeSystemtimePrivilege 464 DFNER.exe Token: SeProfSingleProcessPrivilege 464 DFNER.exe Token: SeIncBasePriorityPrivilege 464 DFNER.exe Token: SeCreatePagefilePrivilege 464 DFNER.exe Token: SeBackupPrivilege 464 DFNER.exe Token: SeRestorePrivilege 464 DFNER.exe Token: SeShutdownPrivilege 464 DFNER.exe Token: SeDebugPrivilege 464 DFNER.exe Token: SeSystemEnvironmentPrivilege 464 DFNER.exe Token: SeChangeNotifyPrivilege 464 DFNER.exe Token: SeRemoteShutdownPrivilege 464 DFNER.exe Token: SeUndockPrivilege 464 DFNER.exe Token: SeManageVolumePrivilege 464 DFNER.exe Token: SeImpersonatePrivilege 464 DFNER.exe Token: SeCreateGlobalPrivilege 464 DFNER.exe Token: 33 464 DFNER.exe Token: 34 464 DFNER.exe Token: 35 464 DFNER.exe Token: 36 464 DFNER.exe Token: SeIncreaseQuotaPrivilege 4000 winupdate.exe Token: SeSecurityPrivilege 4000 winupdate.exe Token: SeTakeOwnershipPrivilege 4000 winupdate.exe Token: SeLoadDriverPrivilege 4000 winupdate.exe Token: SeSystemProfilePrivilege 4000 winupdate.exe Token: SeSystemtimePrivilege 4000 winupdate.exe Token: SeProfSingleProcessPrivilege 4000 winupdate.exe Token: SeIncBasePriorityPrivilege 4000 winupdate.exe Token: SeCreatePagefilePrivilege 4000 winupdate.exe Token: SeBackupPrivilege 4000 winupdate.exe Token: SeRestorePrivilege 4000 winupdate.exe Token: SeShutdownPrivilege 4000 winupdate.exe Token: SeDebugPrivilege 4000 winupdate.exe Token: SeSystemEnvironmentPrivilege 4000 winupdate.exe Token: SeChangeNotifyPrivilege 4000 winupdate.exe Token: SeRemoteShutdownPrivilege 4000 winupdate.exe Token: SeUndockPrivilege 4000 winupdate.exe Token: SeManageVolumePrivilege 4000 winupdate.exe Token: SeImpersonatePrivilege 4000 winupdate.exe Token: SeCreateGlobalPrivilege 4000 winupdate.exe Token: 33 4000 winupdate.exe Token: 34 4000 winupdate.exe Token: 35 4000 winupdate.exe Token: 36 4000 winupdate.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2248 DFNER.exe 3952 winupdate.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1028 wrote to memory of 2248 1028 afa960d772a3025176774141b7171fac_JaffaCakes118.exe 83 PID 1028 wrote to memory of 2248 1028 afa960d772a3025176774141b7171fac_JaffaCakes118.exe 83 PID 1028 wrote to memory of 2248 1028 afa960d772a3025176774141b7171fac_JaffaCakes118.exe 83 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 464 2248 DFNER.exe 85 PID 2248 wrote to memory of 3256 2248 DFNER.exe 86 PID 2248 wrote to memory of 3256 2248 DFNER.exe 86 PID 2248 wrote to memory of 3256 2248 DFNER.exe 86 PID 464 wrote to memory of 3952 464 DFNER.exe 88 PID 464 wrote to memory of 3952 464 DFNER.exe 88 PID 464 wrote to memory of 3952 464 DFNER.exe 88 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89 PID 3952 wrote to memory of 4000 3952 winupdate.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa960d772a3025176774141b7171fac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\afa960d772a3025176774141b7171fac_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\DFNER.exe"C:\Users\Admin\AppData\Local\Temp\DFNER.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\DFNER.exe"C:\Users\Admin\AppData\Local\Temp\DFNER.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\rserars.bat3⤵
- System Location Discovery: System Language Discovery
PID:3256
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD567a75cf7cebc7b3d2071e7884f8ebba9
SHA1ac9de2f53c840dd8a8607eb135b8226272dc7781
SHA256f321ed896779285be329a541bd4ab435fa9af86337b51f5c2b4479a92e6e9ac2
SHA512547b19a7afe8ce5bb36da766488363c8aa1c570b6f33aab1d801b7ad2cc85b1555a11fa2adbf852b753f39af5f21c08c30866b75c309541c15805563b1ed8e5a
-
Filesize
713KB
MD5e7b749baaaf62f187e1a49871065e9ae
SHA1e9d8788e73f9ed735bf6f0b96d5355c173e82992
SHA2562611acbb63970b121fd03ab027c6a3415b5c47a86e1cb9fa556fb1d237c5a3a8
SHA5126cc3fc1fb930e093c46e4ca6f3d06dc7b6806a051f007e8460b0303b5c4000d38c7170bdc2d7011f7d78e6350fe016f9774c9faaa5849bb7cf0d514fc8c67c72
-
Filesize
145B
MD5457cced7a6b57d29373c684df02b7ce9
SHA1c56976b326f42de4841369edbc6fb56cf9151723
SHA25693200aff412fe035ce15e0437bc7f075860fd075a062c7b62bccc431e9d9e015
SHA512a08dad4af9565898f6813878d93f012203eb5ece4f879bdd563fa84717f300f30fe59b6b5637a24997e3b79ebcb710018d54948cee17d0babb89cd56b722eb99