Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe
-
Size
1.2MB
-
MD5
1eb9eea740e4165eb9ae5dcee0d72862
-
SHA1
28dae67732b6584ef476b4c2900c40680cedacf6
-
SHA256
38f9dc7d43224d245fa5c1405fb3f624e2659f28655a59fc5737973b84cc282f
-
SHA512
f06301398fdf04fc4a6dad837373ed421343570e87a1080c76545f62409ee5ac4efca60ec4585317a82f0def8f6a8d238985e9dbad37a336667f1d2b53b6cb6b
-
SSDEEP
24576:SAQoDefT6HesrQrSDZhyZ+aan+mMfqZaRfAuYLNH9pRBFZIlPed9775:SAcGHC2ZUZ+umWea+NPpRB/Iped977
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 2 IoCs
resource yara_rule behavioral1/memory/2700-32-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral1/memory/2700-31-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\D3Sept.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D3Sept.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 5 IoCs
pid Process 2496 sarkoth.exe 2860 D3.exe 1192 Process not Found 2908 audiadg.exe 3064 bcdprov.exe -
Loads dropped DLL 5 IoCs
pid Process 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 2860 D3.exe 2860 D3.exe 2908 audiadg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiadg.exe" audiadg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001939c-5.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2860 set thread context of 2700 2860 D3.exe 33 PID 3064 set thread context of 2248 3064 bcdprov.exe 48 -
resource yara_rule behavioral1/memory/2700-23-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/2700-28-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/2700-32-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/2700-30-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/2700-31-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/2700-26-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/2700-24-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdprov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1688 reg.exe 1568 reg.exe 784 reg.exe 1064 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe 2908 audiadg.exe 2860 D3.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe Token: SeDebugPrivilege 2860 D3.exe Token: 1 2700 AppLaunch.exe Token: SeCreateTokenPrivilege 2700 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 2700 AppLaunch.exe Token: SeLockMemoryPrivilege 2700 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 2700 AppLaunch.exe Token: SeMachineAccountPrivilege 2700 AppLaunch.exe Token: SeTcbPrivilege 2700 AppLaunch.exe Token: SeSecurityPrivilege 2700 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2700 AppLaunch.exe Token: SeLoadDriverPrivilege 2700 AppLaunch.exe Token: SeSystemProfilePrivilege 2700 AppLaunch.exe Token: SeSystemtimePrivilege 2700 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2700 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2700 AppLaunch.exe Token: SeCreatePagefilePrivilege 2700 AppLaunch.exe Token: SeCreatePermanentPrivilege 2700 AppLaunch.exe Token: SeBackupPrivilege 2700 AppLaunch.exe Token: SeRestorePrivilege 2700 AppLaunch.exe Token: SeShutdownPrivilege 2700 AppLaunch.exe Token: SeDebugPrivilege 2700 AppLaunch.exe Token: SeAuditPrivilege 2700 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2700 AppLaunch.exe Token: SeChangeNotifyPrivilege 2700 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2700 AppLaunch.exe Token: SeUndockPrivilege 2700 AppLaunch.exe Token: SeSyncAgentPrivilege 2700 AppLaunch.exe Token: SeEnableDelegationPrivilege 2700 AppLaunch.exe Token: SeManageVolumePrivilege 2700 AppLaunch.exe Token: SeImpersonatePrivilege 2700 AppLaunch.exe Token: SeCreateGlobalPrivilege 2700 AppLaunch.exe Token: 31 2700 AppLaunch.exe Token: 32 2700 AppLaunch.exe Token: 33 2700 AppLaunch.exe Token: 34 2700 AppLaunch.exe Token: 35 2700 AppLaunch.exe Token: SeDebugPrivilege 2908 audiadg.exe Token: SeDebugPrivilege 3064 bcdprov.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe 2496 sarkoth.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2700 AppLaunch.exe 2700 AppLaunch.exe 2700 AppLaunch.exe 2700 AppLaunch.exe 2248 AppLaunch.exe 2248 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2496 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 31 PID 2316 wrote to memory of 2496 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 31 PID 2316 wrote to memory of 2496 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 31 PID 2316 wrote to memory of 2496 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 31 PID 2316 wrote to memory of 2860 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 32 PID 2316 wrote to memory of 2860 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 32 PID 2316 wrote to memory of 2860 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 32 PID 2316 wrote to memory of 2860 2316 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 32 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2860 wrote to memory of 2700 2860 D3.exe 33 PID 2700 wrote to memory of 2688 2700 AppLaunch.exe 34 PID 2700 wrote to memory of 2688 2700 AppLaunch.exe 34 PID 2700 wrote to memory of 2688 2700 AppLaunch.exe 34 PID 2700 wrote to memory of 2688 2700 AppLaunch.exe 34 PID 2700 wrote to memory of 2688 2700 AppLaunch.exe 34 PID 2700 wrote to memory of 2688 2700 AppLaunch.exe 34 PID 2700 wrote to memory of 2688 2700 AppLaunch.exe 34 PID 2700 wrote to memory of 2696 2700 AppLaunch.exe 35 PID 2700 wrote to memory of 2696 2700 AppLaunch.exe 35 PID 2700 wrote to memory of 2696 2700 AppLaunch.exe 35 PID 2700 wrote to memory of 2696 2700 AppLaunch.exe 35 PID 2700 wrote to memory of 2696 2700 AppLaunch.exe 35 PID 2700 wrote to memory of 2696 2700 AppLaunch.exe 35 PID 2700 wrote to memory of 2696 2700 AppLaunch.exe 35 PID 2700 wrote to memory of 2752 2700 AppLaunch.exe 37 PID 2700 wrote to memory of 2752 2700 AppLaunch.exe 37 PID 2700 wrote to memory of 2752 2700 AppLaunch.exe 37 PID 2700 wrote to memory of 2752 2700 AppLaunch.exe 37 PID 2700 wrote to memory of 2752 2700 AppLaunch.exe 37 PID 2700 wrote to memory of 2752 2700 AppLaunch.exe 37 PID 2700 wrote to memory of 2752 2700 AppLaunch.exe 37 PID 2700 wrote to memory of 2012 2700 AppLaunch.exe 38 PID 2700 wrote to memory of 2012 2700 AppLaunch.exe 38 PID 2700 wrote to memory of 2012 2700 AppLaunch.exe 38 PID 2700 wrote to memory of 2012 2700 AppLaunch.exe 38 PID 2700 wrote to memory of 2012 2700 AppLaunch.exe 38 PID 2700 wrote to memory of 2012 2700 AppLaunch.exe 38 PID 2700 wrote to memory of 2012 2700 AppLaunch.exe 38 PID 2860 wrote to memory of 2908 2860 D3.exe 39 PID 2860 wrote to memory of 2908 2860 D3.exe 39 PID 2860 wrote to memory of 2908 2860 D3.exe 39 PID 2860 wrote to memory of 2908 2860 D3.exe 39 PID 2688 wrote to memory of 784 2688 cmd.exe 43 PID 2688 wrote to memory of 784 2688 cmd.exe 43 PID 2688 wrote to memory of 784 2688 cmd.exe 43 PID 2688 wrote to memory of 784 2688 cmd.exe 43 PID 2688 wrote to memory of 784 2688 cmd.exe 43 PID 2688 wrote to memory of 784 2688 cmd.exe 43 PID 2688 wrote to memory of 784 2688 cmd.exe 43 PID 2752 wrote to memory of 1568 2752 cmd.exe 44 PID 2752 wrote to memory of 1568 2752 cmd.exe 44 PID 2752 wrote to memory of 1568 2752 cmd.exe 44 PID 2752 wrote to memory of 1568 2752 cmd.exe 44 PID 2752 wrote to memory of 1568 2752 cmd.exe 44 PID 2752 wrote to memory of 1568 2752 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\Software\sarkoth.exe"C:\Users\Admin\AppData\Local\Temp\Software\sarkoth.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\Software\D3.exe"C:\Users\Admin\AppData\Local\Temp\Software\D3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1688
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59b3848f7bd575120a33fb480774b5b6b
SHA19a7ef7a9b4f946f4ddbe2fadb3c52f1fd6991045
SHA256271f73350c0e95d765fe1ccbf4b1fae1f7b62b62a723472a65f562ceab22d791
SHA51202a7364ff655f0a4345b7428f577396a8ec7347f2d8466f4d957b7dd3909baf6b7b403135450b3f142ea275452fbfb418f64f075fba11f808640479d726a73b3
-
Filesize
340KB
MD5486fdb3d60c7811dee22742cca9f93dc
SHA1d59ae0af20b78abfd351482cb1c93f62f4cf469f
SHA256eacf7057eff4e24be433c7437053d5dc34b1c32e9373d723281780cbd8144c68
SHA51261f8eaf774678b82a494865f96c799ae1aa2ca00fd5e75b3cc28e4d802cc7343b02a7e44c8bd1d9c31f7b93441f2c5d4793eb4689458f3c81bcd5b2ae28b56f0
-
Filesize
813KB
MD5953d441e4dbbce93ffb02fe1bb203e34
SHA177917fb53535e770137fb6915f8db37ae5464ea4
SHA25666da1f6e8952366700054e3bf9c1ca20a58fa1df58d8783c1389f358bdf3513d
SHA51277b37d091c55cc8f7f8b455c26e9e47898e83795d6890316f529715fdd3981aac50917ab6677170b705731c40d49b0646d234fe38e6cbb3c334c7a4c7aa257dd