Analysis
-
max time kernel
11s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 13:28
Behavioral task
behavioral1
Sample
1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe
Resource
win10v2004-20241007-en
General
-
Target
1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe
-
Size
1.2MB
-
MD5
c2248fa5fffaf5f6b205d2d3eab810e0
-
SHA1
44be568fea7f80f646882d84d65e94b0b19cebf5
-
SHA256
1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48
-
SHA512
9eabfc3535a952e7d48924e933ab6d8aff0d148ed2c5954ceb171bfab5bd36070dec6b91189f72adaeb5588c8424e63b0785f0024e15e5ba780dfe089f9ef517
-
SSDEEP
3072:gRRHyoBg8zJRAxuU+N6ET/d9ArfCS3VT62FQwiDefNbaSBVpMQRQ8imgCQIqi/cK:gRhoxrn/vmrqaTh2uMnuPea4g/GcY
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 2 IoCs
resource yara_rule behavioral1/memory/1668-316-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral1/memory/1668-324-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\javaruntime.exe = "C:\\Windows\\javaruntime.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winprocess.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winprocess.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 1852 javaruntime.exe 2104 javaruntime.exe 1668 javaruntime.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaruntime = "C:\\Windows\\javaruntime.exe" reg.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaruntime.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1620 set thread context of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 set thread context of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1852 set thread context of 1688 1852 javaruntime.exe 38 PID 1852 set thread context of 2104 1852 javaruntime.exe 39 PID 1852 set thread context of 1668 1852 javaruntime.exe 40 -
resource yara_rule behavioral1/memory/1620-0-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/1620-99-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/1620-80-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/1620-129-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/1396-145-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1620-144-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/1396-136-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x0008000000012118-171.dat upx behavioral1/memory/1396-290-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1668-316-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1852-318-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/1396-321-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2104-322-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1668-324-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\javaruntime.exe 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe File opened for modification C:\Windows\javaruntime.exe 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2844 reg.exe 3064 reg.exe 804 reg.exe 1860 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 1668 javaruntime.exe Token: SeCreateTokenPrivilege 1668 javaruntime.exe Token: SeAssignPrimaryTokenPrivilege 1668 javaruntime.exe Token: SeLockMemoryPrivilege 1668 javaruntime.exe Token: SeIncreaseQuotaPrivilege 1668 javaruntime.exe Token: SeMachineAccountPrivilege 1668 javaruntime.exe Token: SeTcbPrivilege 1668 javaruntime.exe Token: SeSecurityPrivilege 1668 javaruntime.exe Token: SeTakeOwnershipPrivilege 1668 javaruntime.exe Token: SeLoadDriverPrivilege 1668 javaruntime.exe Token: SeSystemProfilePrivilege 1668 javaruntime.exe Token: SeSystemtimePrivilege 1668 javaruntime.exe Token: SeProfSingleProcessPrivilege 1668 javaruntime.exe Token: SeIncBasePriorityPrivilege 1668 javaruntime.exe Token: SeCreatePagefilePrivilege 1668 javaruntime.exe Token: SeCreatePermanentPrivilege 1668 javaruntime.exe Token: SeBackupPrivilege 1668 javaruntime.exe Token: SeRestorePrivilege 1668 javaruntime.exe Token: SeShutdownPrivilege 1668 javaruntime.exe Token: SeDebugPrivilege 1668 javaruntime.exe Token: SeAuditPrivilege 1668 javaruntime.exe Token: SeSystemEnvironmentPrivilege 1668 javaruntime.exe Token: SeChangeNotifyPrivilege 1668 javaruntime.exe Token: SeRemoteShutdownPrivilege 1668 javaruntime.exe Token: SeUndockPrivilege 1668 javaruntime.exe Token: SeSyncAgentPrivilege 1668 javaruntime.exe Token: SeEnableDelegationPrivilege 1668 javaruntime.exe Token: SeManageVolumePrivilege 1668 javaruntime.exe Token: SeImpersonatePrivilege 1668 javaruntime.exe Token: SeCreateGlobalPrivilege 1668 javaruntime.exe Token: 31 1668 javaruntime.exe Token: 32 1668 javaruntime.exe Token: 33 1668 javaruntime.exe Token: 34 1668 javaruntime.exe Token: 35 1668 javaruntime.exe Token: SeDebugPrivilege 2104 javaruntime.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 2616 svchost.exe 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 1852 javaruntime.exe 1688 svchost.exe 2104 javaruntime.exe 1668 javaruntime.exe 1668 javaruntime.exe 1668 javaruntime.exe 1668 javaruntime.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 2616 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 31 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1620 wrote to memory of 1396 1620 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 32 PID 1396 wrote to memory of 1708 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 33 PID 1396 wrote to memory of 1708 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 33 PID 1396 wrote to memory of 1708 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 33 PID 1396 wrote to memory of 1708 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 33 PID 1708 wrote to memory of 1332 1708 cmd.exe 35 PID 1708 wrote to memory of 1332 1708 cmd.exe 35 PID 1708 wrote to memory of 1332 1708 cmd.exe 35 PID 1708 wrote to memory of 1332 1708 cmd.exe 35 PID 1396 wrote to memory of 1852 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 36 PID 1396 wrote to memory of 1852 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 36 PID 1396 wrote to memory of 1852 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 36 PID 1396 wrote to memory of 1852 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 36 PID 1396 wrote to memory of 1852 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 36 PID 1396 wrote to memory of 1852 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 36 PID 1396 wrote to memory of 1852 1396 1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe 36 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 1688 1852 javaruntime.exe 38 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 2104 1852 javaruntime.exe 39 PID 1852 wrote to memory of 1668 1852 javaruntime.exe 40 PID 1852 wrote to memory of 1668 1852 javaruntime.exe 40 PID 1852 wrote to memory of 1668 1852 javaruntime.exe 40 PID 1852 wrote to memory of 1668 1852 javaruntime.exe 40 PID 1852 wrote to memory of 1668 1852 javaruntime.exe 40 PID 1852 wrote to memory of 1668 1852 javaruntime.exe 40 PID 1852 wrote to memory of 1668 1852 javaruntime.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe"C:\Users\Admin\AppData\Local\Temp\1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe"C:\Users\Admin\AppData\Local\Temp\1453106533c9aee57ffcdfaf9bef166ec92786183e7f155af2ab918225e37f48N.exe"2⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TLAUR.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaruntime" /t REG_SZ /d "C:\Windows\javaruntime.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1332
-
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2104
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1668 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:804
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD5163f8e838efe1d166ffff7408b814e28
SHA152fa0ccba649587e7d24d21d182657078fa6d028
SHA256dc60287c419225759aa9e1ea0423be4106337dad71aaa0cdc9d55d2b1af3edb7
SHA512b6685390029555f7d812f0d1a9f138c619555712add3e79c1c90a1a5a0c544e4a86768a626d25c6af3cec09afc0bbaf7f398114e849831bdc5666fc443a1f68d
-
Filesize
1.2MB
MD5d67986946355c3740ad9e032475594cb
SHA16e95136c86dcc683f323e9c020cb7d85a030fda9
SHA2562e519969d2683217c425d5da89c8005ff9d729e43ec1542fe9a98f7a9eb0aba5
SHA51275b236183efbfab3e91dfdd9db274624872d765edbbda9c49aa6775f9cf19e87155ac7ac8d82f33b818c809f3a1e209ccfa21229c42584bb1693a413e7b7c00f