Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-uk -
submitted
09/05/2024, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
Form_W-9_Ver-i40_53b043910-86g91352u7972-6495q3.js
Resource
win10v2004-20240508-uk
General
-
Target
Form_W-9_Ver-i40_53b043910-86g91352u7972-6495q3.js
-
Size
467KB
-
MD5
6682dc1281579bd8789a8d2c09ca4251
-
SHA1
67bb21c9665fc12d8dc6ef2ac775c3f6274bd0ed
-
SHA256
937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913
-
SHA512
629219ec7dd6d1ca529daabeffe7b4430467d089054876c203d7be9979c32bb6d01901d018d88a81699ae18ba1be1421ec5fcbea6610f3e96953b1ab07b048bb
-
SSDEEP
6144:I/sTY54eD0MDV96cPh7siYttNfIR3zKEyX90q+jTEkyZxUwwkykmQmByuPatD/ey:8uu96FjIR3MN24Uk1
Malware Config
Extracted
latrodectus
https://workspacin.cloud/live/
https://qaliharsit.tech/live/
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
resource yara_rule behavioral1/memory/3196-40-0x000000026E7A0000-0x000000026E7EA000-memory.dmp family_bruteratel behavioral1/memory/3196-41-0x000000026E7A0000-0x000000026E7EA000-memory.dmp family_bruteratel -
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Detect larodectus Loader variant 2 3 IoCs
resource yara_rule behavioral1/memory/3560-72-0x0000000000750000-0x0000000000762000-memory.dmp family_latrodectus_v2 behavioral1/memory/3196-67-0x00007FF4AF400000-0x00007FF4AF412000-memory.dmp family_latrodectus_v2 behavioral1/memory/3560-73-0x0000000000750000-0x0000000000762000-memory.dmp family_latrodectus_v2 -
Blocklisted process makes network request 38 IoCs
flow pid Process 2 1500 wscript.exe 4 1500 wscript.exe 13 2984 msiexec.exe 22 3196 rundll32.exe 24 3196 rundll32.exe 28 3196 rundll32.exe 31 3196 rundll32.exe 34 3196 rundll32.exe 37 3196 rundll32.exe 42 3196 rundll32.exe 43 3196 rundll32.exe 44 3196 rundll32.exe 45 3196 rundll32.exe 46 3196 rundll32.exe 49 3196 rundll32.exe 53 3196 rundll32.exe 63 3196 rundll32.exe 64 3196 rundll32.exe 65 3196 rundll32.exe 66 3196 rundll32.exe 67 3196 rundll32.exe 68 3196 rundll32.exe 70 3196 rundll32.exe 72 3196 rundll32.exe 77 3196 rundll32.exe 79 3196 rundll32.exe 82 3196 rundll32.exe 84 3196 rundll32.exe 85 3196 rundll32.exe 86 3196 rundll32.exe 87 3196 rundll32.exe 88 3196 rundll32.exe 89 3196 rundll32.exe 90 3196 rundll32.exe 91 3196 rundll32.exe 92 3196 rundll32.exe 93 3196 rundll32.exe 94 3196 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 2416 MSI6865.tmp -
Loads dropped DLL 5 IoCs
pid Process 808 MsiExec.exe 808 MsiExec.exe 808 MsiExec.exe 808 MsiExec.exe 3196 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\upfilles.dll\", stow" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6865.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI59A9.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI65DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6729.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI67F6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI66BB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6778.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI6865.tmp -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 wscript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2984 msiexec.exe 2984 msiexec.exe 2416 MSI6865.tmp 2416 MSI6865.tmp 3196 rundll32.exe 3196 rundll32.exe 3560 Explorer.EXE 3560 Explorer.EXE 3560 Explorer.EXE 3560 Explorer.EXE 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe 3196 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 1500 wscript.exe Token: SeIncreaseQuotaPrivilege 1500 wscript.exe Token: SeSecurityPrivilege 2984 msiexec.exe Token: SeCreateTokenPrivilege 1500 wscript.exe Token: SeAssignPrimaryTokenPrivilege 1500 wscript.exe Token: SeLockMemoryPrivilege 1500 wscript.exe Token: SeIncreaseQuotaPrivilege 1500 wscript.exe Token: SeMachineAccountPrivilege 1500 wscript.exe Token: SeTcbPrivilege 1500 wscript.exe Token: SeSecurityPrivilege 1500 wscript.exe Token: SeTakeOwnershipPrivilege 1500 wscript.exe Token: SeLoadDriverPrivilege 1500 wscript.exe Token: SeSystemProfilePrivilege 1500 wscript.exe Token: SeSystemtimePrivilege 1500 wscript.exe Token: SeProfSingleProcessPrivilege 1500 wscript.exe Token: SeIncBasePriorityPrivilege 1500 wscript.exe Token: SeCreatePagefilePrivilege 1500 wscript.exe Token: SeCreatePermanentPrivilege 1500 wscript.exe Token: SeBackupPrivilege 1500 wscript.exe Token: SeRestorePrivilege 1500 wscript.exe Token: SeShutdownPrivilege 1500 wscript.exe Token: SeDebugPrivilege 1500 wscript.exe Token: SeAuditPrivilege 1500 wscript.exe Token: SeSystemEnvironmentPrivilege 1500 wscript.exe Token: SeChangeNotifyPrivilege 1500 wscript.exe Token: SeRemoteShutdownPrivilege 1500 wscript.exe Token: SeUndockPrivilege 1500 wscript.exe Token: SeSyncAgentPrivilege 1500 wscript.exe Token: SeEnableDelegationPrivilege 1500 wscript.exe Token: SeManageVolumePrivilege 1500 wscript.exe Token: SeImpersonatePrivilege 1500 wscript.exe Token: SeCreateGlobalPrivilege 1500 wscript.exe Token: SeRestorePrivilege 2984 msiexec.exe Token: SeTakeOwnershipPrivilege 2984 msiexec.exe Token: SeRestorePrivilege 2984 msiexec.exe Token: SeTakeOwnershipPrivilege 2984 msiexec.exe Token: SeRestorePrivilege 2984 msiexec.exe Token: SeTakeOwnershipPrivilege 2984 msiexec.exe Token: SeRestorePrivilege 2984 msiexec.exe Token: SeTakeOwnershipPrivilege 2984 msiexec.exe Token: SeRestorePrivilege 2984 msiexec.exe Token: SeTakeOwnershipPrivilege 2984 msiexec.exe Token: SeRestorePrivilege 2984 msiexec.exe Token: SeTakeOwnershipPrivilege 2984 msiexec.exe Token: SeRestorePrivilege 2984 msiexec.exe Token: SeTakeOwnershipPrivilege 2984 msiexec.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3560 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2984 wrote to memory of 808 2984 msiexec.exe 85 PID 2984 wrote to memory of 808 2984 msiexec.exe 85 PID 2984 wrote to memory of 808 2984 msiexec.exe 85 PID 2984 wrote to memory of 2416 2984 msiexec.exe 86 PID 2984 wrote to memory of 2416 2984 msiexec.exe 86 PID 2984 wrote to memory of 2416 2984 msiexec.exe 86 PID 3196 wrote to memory of 3560 3196 rundll32.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3560 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Form_W-9_Ver-i40_53b043910-86g91352u7972-6495q3.js2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\upfilles.dll, stow2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 797B6E6824866BFAF0694DA3BA2AD0492⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:808
-
-
C:\Windows\Installer\MSI6865.tmp"C:\Windows\Installer\MSI6865.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Roaming\upfilles.dll, stow2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508KB
MD5ccb6d3cb020f56758622911ddd2f1fcb
SHA14a013f752c2bf84ca37e418175e0d9b6f61f636d
SHA256f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
SHA5126ed929967005eaa6407e273b53a1fedcb2b084d775bed17272fd05b1ce143dbf921ac201246dfbfdbe663c7351e44c12f162e6f03343548b69b5d4598bb3492e
-
Filesize
1.5MB
MD5b4a482a7e96cfdef632a7af286120156
SHA173e3639a9388af84b9c0f172b3aeaf3823014596
SHA256ead5ebf464c313176174ff0fdc3360a3477f6361d0947221d31287eeb04691b3
SHA51215661f1dc751a48f5d213ec99c046e0b9fa1a2201d238d26bee0f15341e9d84611c30f152c463368c6d59f3e7cccb5ae991b1f3127ad65eb3a2ea7823d3b598b
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04