Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2025, 07:59
Behavioral task
behavioral1
Sample
e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe
Resource
win10v2004-20250207-en
General
-
Target
e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe
-
Size
295KB
-
MD5
9bd0b6f30d4706be26014d748b4443a0
-
SHA1
64277e545d5e3db5d4a7d0a5ea9ae670c2dad779
-
SHA256
e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6b
-
SHA512
aef4ec64145af773b3c262b437ff0342ea50cf361febde4fd4f779bc772712642376974acd17334c6cb6e1b89ee827e35788405305a98477aa93414fce9cc97c
-
SSDEEP
6144:Hg2hTSrKvmpwAHx8ADA1epmoI+zwOLoxZq2djzpqbTYDmwihkoSI:HxhTS64R8UAemBO0xZq2dzpqmmthkoSI
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 13 IoCs
resource yara_rule behavioral2/memory/3308-48-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-65-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-66-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-70-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-73-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-76-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-78-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-81-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-83-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-85-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-88-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-90-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/3308-92-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Registry\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 51 4832 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe -
Executes dropped EXE 3 IoCs
pid Process 4084 svchost.exe 3308 svchost.exe 4468 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Registry = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Registry\\svchost.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4084 set thread context of 3308 4084 svchost.exe 94 PID 4084 set thread context of 4468 4084 svchost.exe 95 -
resource yara_rule behavioral2/memory/1700-0-0x0000000000400000-0x00000000005A8000-memory.dmp upx behavioral2/files/0x0007000000023dc8-26.dat upx behavioral2/memory/1700-39-0x0000000000400000-0x00000000005A8000-memory.dmp upx behavioral2/memory/3308-42-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4468-58-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4468-60-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4468-54-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4084-64-0x0000000000400000-0x00000000005A8000-memory.dmp upx behavioral2/memory/3308-46-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-48-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-65-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-66-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4468-67-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3308-70-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-73-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-76-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-78-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-81-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-83-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-85-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-88-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-90-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3308-92-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1336 MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1980 reg.exe 2916 reg.exe 4124 reg.exe 2488 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 3308 svchost.exe Token: SeCreateTokenPrivilege 3308 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3308 svchost.exe Token: SeLockMemoryPrivilege 3308 svchost.exe Token: SeIncreaseQuotaPrivilege 3308 svchost.exe Token: SeMachineAccountPrivilege 3308 svchost.exe Token: SeTcbPrivilege 3308 svchost.exe Token: SeSecurityPrivilege 3308 svchost.exe Token: SeTakeOwnershipPrivilege 3308 svchost.exe Token: SeLoadDriverPrivilege 3308 svchost.exe Token: SeSystemProfilePrivilege 3308 svchost.exe Token: SeSystemtimePrivilege 3308 svchost.exe Token: SeProfSingleProcessPrivilege 3308 svchost.exe Token: SeIncBasePriorityPrivilege 3308 svchost.exe Token: SeCreatePagefilePrivilege 3308 svchost.exe Token: SeCreatePermanentPrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeRestorePrivilege 3308 svchost.exe Token: SeShutdownPrivilege 3308 svchost.exe Token: SeDebugPrivilege 3308 svchost.exe Token: SeAuditPrivilege 3308 svchost.exe Token: SeSystemEnvironmentPrivilege 3308 svchost.exe Token: SeChangeNotifyPrivilege 3308 svchost.exe Token: SeRemoteShutdownPrivilege 3308 svchost.exe Token: SeUndockPrivilege 3308 svchost.exe Token: SeSyncAgentPrivilege 3308 svchost.exe Token: SeEnableDelegationPrivilege 3308 svchost.exe Token: SeManageVolumePrivilege 3308 svchost.exe Token: SeImpersonatePrivilege 3308 svchost.exe Token: SeCreateGlobalPrivilege 3308 svchost.exe Token: 31 3308 svchost.exe Token: 32 3308 svchost.exe Token: 33 3308 svchost.exe Token: 34 3308 svchost.exe Token: 35 3308 svchost.exe Token: SeDebugPrivilege 4468 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1700 e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe 4084 svchost.exe 3308 svchost.exe 3308 svchost.exe 3308 svchost.exe 4468 svchost.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1700 wrote to memory of 3944 1700 e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe 89 PID 1700 wrote to memory of 3944 1700 e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe 89 PID 1700 wrote to memory of 3944 1700 e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe 89 PID 3944 wrote to memory of 2760 3944 cmd.exe 92 PID 3944 wrote to memory of 2760 3944 cmd.exe 92 PID 3944 wrote to memory of 2760 3944 cmd.exe 92 PID 1700 wrote to memory of 4084 1700 e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe 93 PID 1700 wrote to memory of 4084 1700 e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe 93 PID 1700 wrote to memory of 4084 1700 e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe 93 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 3308 4084 svchost.exe 94 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 3308 wrote to memory of 4360 3308 svchost.exe 96 PID 3308 wrote to memory of 4360 3308 svchost.exe 96 PID 3308 wrote to memory of 4360 3308 svchost.exe 96 PID 3308 wrote to memory of 2228 3308 svchost.exe 97 PID 3308 wrote to memory of 2228 3308 svchost.exe 97 PID 3308 wrote to memory of 2228 3308 svchost.exe 97 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 3308 wrote to memory of 4300 3308 svchost.exe 98 PID 3308 wrote to memory of 4300 3308 svchost.exe 98 PID 3308 wrote to memory of 4300 3308 svchost.exe 98 PID 3308 wrote to memory of 1028 3308 svchost.exe 99 PID 3308 wrote to memory of 1028 3308 svchost.exe 99 PID 3308 wrote to memory of 1028 3308 svchost.exe 99 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 4084 wrote to memory of 4468 4084 svchost.exe 95 PID 4360 wrote to memory of 1980 4360 cmd.exe 104 PID 4360 wrote to memory of 1980 4360 cmd.exe 104 PID 4360 wrote to memory of 1980 4360 cmd.exe 104 PID 4300 wrote to memory of 2488 4300 cmd.exe 105 PID 4300 wrote to memory of 2488 4300 cmd.exe 105 PID 4300 wrote to memory of 2488 4300 cmd.exe 105 PID 1028 wrote to memory of 4124 1028 cmd.exe 106 PID 1028 wrote to memory of 4124 1028 cmd.exe 106 PID 1028 wrote to memory of 4124 1028 cmd.exe 106 PID 2228 wrote to memory of 2916 2228 cmd.exe 107 PID 2228 wrote to memory of 2916 2228 cmd.exe 107 PID 2228 wrote to memory of 2916 2228 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe"C:\Users\Admin\AppData\Local\Temp\e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuPxq.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Registry" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4124
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkY1QkQ0NDktNUQ4Ny00MDlCLUFBRDktNTE3OUYzMkFCOUM4fSIgdXNlcmlkPSJ7OTRBMjQyMjYtMzFEMC00MjgyLUEwRjMtMkYzRTQ0MkI4NTU1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUYxNkUxNkEtODU3Ri00Mjg0LTkwMEQtODkxRDc4NUI5NUI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjI0NTYxNTUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD55e4140832887cea8efa834f831b17558
SHA125c6e383330404805daf29d39a28109e97e3b702
SHA256d0a24ea90a7d31cecf370b8d43d5be23b6875e1cf2edbde0dfb4ef869108749c
SHA51268d4c5f5b70e12bebdd92b8c615ac0d640bc8761ec89800eff6da57e72083ba496301ff8248700d0d73bdfb6846678ea9692f816ef9473e45766b5f5b605720f
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0
-
Filesize
295KB
MD5bca87acc58affda9e617de32883d3d57
SHA1193bdd3b8035998ea5cc18bf5f00a45f68205c6a
SHA25683677088ba00c1fcb6eaeead7dba89295018d02f32591a4aa4804ac3ebbbbcb3
SHA512a458a995ae7c9dc0fc18441a2026028e66b67f89baeb0eb7e82889d0bb7bad4fbbe17471ae2f7ebc46ca12fd6f79bcef896dbc3e1b0ed10cd9e33bcad3c42a23