Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe
-
Size
613KB
-
MD5
213f7a4c2bb0b574d12ce0b293ab674b
-
SHA1
78583186555a9c98e8d539039f7c12ce5a95a094
-
SHA256
22f94a59580530ae05efe646efe59c028dade517045ef7d45571231d729bc507
-
SHA512
d8944380839fefb8dd34abeac8c9eaf4a4fdc954ca4ea2685f1d523442a1728d4e5689588b0946ced5a9a8b523ae963cc2dafe0446779c05260497d542ab5e5a
-
SSDEEP
12288:A7lrdHyHBw8ebLwBVD8Wdq1SZivVVyDYf6L:U9hCcfwrD8WdlZG4v
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 10 IoCs
resource yara_rule behavioral1/memory/2876-59-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-57-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-69-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-71-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-73-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-74-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-75-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-78-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-85-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2876-86-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\service.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\service.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Dynamic-link Libraries = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" service.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2EFAF1B-FDBF-42CA-EFB9-5ABEBFF76DDE} service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2EFAF1B-FDBF-42CA-EFB9-5ABEBFF76DDE}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" service.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B2EFAF1B-FDBF-42CA-EFB9-5ABEBFF76DDE} service.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components\{B2EFAF1B-FDBF-42CA-EFB9-5ABEBFF76DDE}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" service.exe -
Executes dropped EXE 3 IoCs
pid Process 1960 service.exe 2812 service.exe 2876 service.exe -
Loads dropped DLL 6 IoCs
pid Process 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 1960 service.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\service.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Dynamic-link Libraries = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" service.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dynamic-link Libraries = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" service.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1960 set thread context of 2812 1960 service.exe 34 PID 2812 set thread context of 2876 2812 service.exe 35 -
resource yara_rule behavioral1/memory/2876-59-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-57-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-56-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-53-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-49-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-47-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-69-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-71-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-73-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-74-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-75-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-78-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-85-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2876-86-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2304 reg.exe 2568 reg.exe 1112 reg.exe 1572 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2876 service.exe Token: SeCreateTokenPrivilege 2876 service.exe Token: SeAssignPrimaryTokenPrivilege 2876 service.exe Token: SeLockMemoryPrivilege 2876 service.exe Token: SeIncreaseQuotaPrivilege 2876 service.exe Token: SeMachineAccountPrivilege 2876 service.exe Token: SeTcbPrivilege 2876 service.exe Token: SeSecurityPrivilege 2876 service.exe Token: SeTakeOwnershipPrivilege 2876 service.exe Token: SeLoadDriverPrivilege 2876 service.exe Token: SeSystemProfilePrivilege 2876 service.exe Token: SeSystemtimePrivilege 2876 service.exe Token: SeProfSingleProcessPrivilege 2876 service.exe Token: SeIncBasePriorityPrivilege 2876 service.exe Token: SeCreatePagefilePrivilege 2876 service.exe Token: SeCreatePermanentPrivilege 2876 service.exe Token: SeBackupPrivilege 2876 service.exe Token: SeRestorePrivilege 2876 service.exe Token: SeShutdownPrivilege 2876 service.exe Token: SeDebugPrivilege 2876 service.exe Token: SeAuditPrivilege 2876 service.exe Token: SeSystemEnvironmentPrivilege 2876 service.exe Token: SeChangeNotifyPrivilege 2876 service.exe Token: SeRemoteShutdownPrivilege 2876 service.exe Token: SeUndockPrivilege 2876 service.exe Token: SeSyncAgentPrivilege 2876 service.exe Token: SeEnableDelegationPrivilege 2876 service.exe Token: SeManageVolumePrivilege 2876 service.exe Token: SeImpersonatePrivilege 2876 service.exe Token: SeCreateGlobalPrivilege 2876 service.exe Token: 31 2876 service.exe Token: 32 2876 service.exe Token: 33 2876 service.exe Token: 34 2876 service.exe Token: 35 2876 service.exe Token: SeDebugPrivilege 2876 service.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 1960 service.exe 2812 service.exe 2876 service.exe 2876 service.exe 2876 service.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2104 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 30 PID 2100 wrote to memory of 2104 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 30 PID 2100 wrote to memory of 2104 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 30 PID 2100 wrote to memory of 2104 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 30 PID 2104 wrote to memory of 2408 2104 cmd.exe 32 PID 2104 wrote to memory of 2408 2104 cmd.exe 32 PID 2104 wrote to memory of 2408 2104 cmd.exe 32 PID 2104 wrote to memory of 2408 2104 cmd.exe 32 PID 2100 wrote to memory of 1960 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 33 PID 2100 wrote to memory of 1960 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 33 PID 2100 wrote to memory of 1960 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 33 PID 2100 wrote to memory of 1960 2100 JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe 33 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 1960 wrote to memory of 2812 1960 service.exe 34 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2812 wrote to memory of 2876 2812 service.exe 35 PID 2876 wrote to memory of 1168 2876 service.exe 36 PID 2876 wrote to memory of 1168 2876 service.exe 36 PID 2876 wrote to memory of 1168 2876 service.exe 36 PID 2876 wrote to memory of 1168 2876 service.exe 36 PID 2876 wrote to memory of 2600 2876 service.exe 37 PID 2876 wrote to memory of 2600 2876 service.exe 37 PID 2876 wrote to memory of 2600 2876 service.exe 37 PID 2876 wrote to memory of 2600 2876 service.exe 37 PID 2876 wrote to memory of 2596 2876 service.exe 38 PID 2876 wrote to memory of 2596 2876 service.exe 38 PID 2876 wrote to memory of 2596 2876 service.exe 38 PID 2876 wrote to memory of 2596 2876 service.exe 38 PID 2876 wrote to memory of 2616 2876 service.exe 39 PID 2876 wrote to memory of 2616 2876 service.exe 39 PID 2876 wrote to memory of 2616 2876 service.exe 39 PID 2876 wrote to memory of 2616 2876 service.exe 39 PID 2600 wrote to memory of 2304 2600 cmd.exe 44 PID 2600 wrote to memory of 2304 2600 cmd.exe 44 PID 2600 wrote to memory of 2304 2600 cmd.exe 44 PID 2600 wrote to memory of 2304 2600 cmd.exe 44 PID 2616 wrote to memory of 2568 2616 cmd.exe 45 PID 2616 wrote to memory of 2568 2616 cmd.exe 45 PID 2616 wrote to memory of 2568 2616 cmd.exe 45 PID 2616 wrote to memory of 2568 2616 cmd.exe 45 PID 2596 wrote to memory of 1112 2596 cmd.exe 46 PID 2596 wrote to memory of 1112 2596 cmd.exe 46 PID 2596 wrote to memory of 1112 2596 cmd.exe 46 PID 2596 wrote to memory of 1112 2596 cmd.exe 46 PID 1168 wrote to memory of 1572 1168 cmd.exe 47 PID 1168 wrote to memory of 1572 1168 cmd.exe 47 PID 1168 wrote to memory of 1572 1168 cmd.exe 47 PID 1168 wrote to memory of 1572 1168 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259435044.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2408
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Roaming\Microsoft\service.exeC:\Users\Admin\AppData\Roaming\Microsoft\service.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2568
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD57eee65b102f30fd1ead48a8cd3b99827
SHA12f74a754019f280c6186c11531d460006814952e
SHA2565748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f
SHA512a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85
-
Filesize
613KB
MD5d734320ba2792758b504eee119891eff
SHA157687899ed5bdc79d693f4f033c978349ab4d79e
SHA256c7502395cde64b76118b787d9a8715dee80be10ae8428e52b2bf4eee4d52d3ce
SHA512196625973ef7d003a68053049840690b8b4fec29cd27f92f2c6d067ab7a6b769f9ba3346de4ea79dae020f3e5985246e00c6ea175d35fefcdd3a19573eba4dd0