Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2025, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
Resource
win10v2004-20250207-en
General
-
Target
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
-
Size
604KB
-
MD5
55cca528a03ec3a98137c46271f3f657
-
SHA1
49a044a803a4e3c0887971b212ca69552b72275f
-
SHA256
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc
-
SHA512
c3cbad0c4401ea966d9f10cff5ccc3ddceca69d95afc81183c5abc57fffcca46c5f28d7daf0d99ec8275289a82b1f2e7946e899d0971348934eac07fec780d66
-
SSDEEP
12288:NcHg+OMkYnx+ZkeeUE9EylqAUB7ftCwYTJ0Q+iK:NJ86eUyEQ/OtI1c
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 3 IoCs
resource yara_rule behavioral2/memory/2376-46-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2376-49-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2376-59-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\svchost.exe = "C:\\Windows\\SysWOW64\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RUNE.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RUNE.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 36 948 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe -
Executes dropped EXE 2 IoCs
pid Process 4768 Jload.exe 2256 Jload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jload = "C:\\Users\\Admin\\AppData\\Roaming\\Jload\\Jload.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5048 set thread context of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 4768 set thread context of 2256 4768 Jload.exe 95 PID 4768 set thread context of 2376 4768 Jload.exe 96 -
resource yara_rule behavioral2/memory/3452-6-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3452-8-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3452-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3452-52-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2256-57-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4332 MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4016 reg.exe 2708 reg.exe 2984 reg.exe 3052 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 1 2376 svchost.exe Token: SeCreateTokenPrivilege 2376 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2376 svchost.exe Token: SeLockMemoryPrivilege 2376 svchost.exe Token: SeIncreaseQuotaPrivilege 2376 svchost.exe Token: SeMachineAccountPrivilege 2376 svchost.exe Token: SeTcbPrivilege 2376 svchost.exe Token: SeSecurityPrivilege 2376 svchost.exe Token: SeTakeOwnershipPrivilege 2376 svchost.exe Token: SeLoadDriverPrivilege 2376 svchost.exe Token: SeSystemProfilePrivilege 2376 svchost.exe Token: SeSystemtimePrivilege 2376 svchost.exe Token: SeProfSingleProcessPrivilege 2376 svchost.exe Token: SeIncBasePriorityPrivilege 2376 svchost.exe Token: SeCreatePagefilePrivilege 2376 svchost.exe Token: SeCreatePermanentPrivilege 2376 svchost.exe Token: SeBackupPrivilege 2376 svchost.exe Token: SeRestorePrivilege 2376 svchost.exe Token: SeShutdownPrivilege 2376 svchost.exe Token: SeDebugPrivilege 2376 svchost.exe Token: SeAuditPrivilege 2376 svchost.exe Token: SeSystemEnvironmentPrivilege 2376 svchost.exe Token: SeChangeNotifyPrivilege 2376 svchost.exe Token: SeRemoteShutdownPrivilege 2376 svchost.exe Token: SeUndockPrivilege 2376 svchost.exe Token: SeSyncAgentPrivilege 2376 svchost.exe Token: SeEnableDelegationPrivilege 2376 svchost.exe Token: SeManageVolumePrivilege 2376 svchost.exe Token: SeImpersonatePrivilege 2376 svchost.exe Token: SeCreateGlobalPrivilege 2376 svchost.exe Token: 31 2376 svchost.exe Token: 32 2376 svchost.exe Token: 33 2376 svchost.exe Token: 34 2376 svchost.exe Token: 35 2376 svchost.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe Token: SeDebugPrivilege 2256 Jload.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 3452 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 4768 Jload.exe 2256 Jload.exe 2376 svchost.exe 2376 svchost.exe 2376 svchost.exe 2376 svchost.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 5048 wrote to memory of 3452 5048 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 89 PID 3452 wrote to memory of 1076 3452 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 90 PID 3452 wrote to memory of 1076 3452 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 90 PID 3452 wrote to memory of 1076 3452 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 90 PID 1076 wrote to memory of 1276 1076 cmd.exe 93 PID 1076 wrote to memory of 1276 1076 cmd.exe 93 PID 1076 wrote to memory of 1276 1076 cmd.exe 93 PID 3452 wrote to memory of 4768 3452 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 94 PID 3452 wrote to memory of 4768 3452 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 94 PID 3452 wrote to memory of 4768 3452 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 94 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2256 4768 Jload.exe 95 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 4768 wrote to memory of 2376 4768 Jload.exe 96 PID 2376 wrote to memory of 3780 2376 svchost.exe 97 PID 2376 wrote to memory of 3780 2376 svchost.exe 97 PID 2376 wrote to memory of 3780 2376 svchost.exe 97 PID 2376 wrote to memory of 4572 2376 svchost.exe 98 PID 2376 wrote to memory of 4572 2376 svchost.exe 98 PID 2376 wrote to memory of 4572 2376 svchost.exe 98 PID 2376 wrote to memory of 1680 2376 svchost.exe 99 PID 2376 wrote to memory of 1680 2376 svchost.exe 99 PID 2376 wrote to memory of 1680 2376 svchost.exe 99 PID 2376 wrote to memory of 1068 2376 svchost.exe 100 PID 2376 wrote to memory of 1068 2376 svchost.exe 100 PID 2376 wrote to memory of 1068 2376 svchost.exe 100 PID 3780 wrote to memory of 4016 3780 cmd.exe 105 PID 3780 wrote to memory of 4016 3780 cmd.exe 105 PID 3780 wrote to memory of 4016 3780 cmd.exe 105 PID 4572 wrote to memory of 2708 4572 cmd.exe 106 PID 4572 wrote to memory of 2708 4572 cmd.exe 106 PID 4572 wrote to memory of 2708 4572 cmd.exe 106 PID 1068 wrote to memory of 2984 1068 cmd.exe 107 PID 1068 wrote to memory of 2984 1068 cmd.exe 107 PID 1068 wrote to memory of 2984 1068 cmd.exe 107 PID 1680 wrote to memory of 3052 1680 cmd.exe 108 PID 1680 wrote to memory of 3052 1680 cmd.exe 108 PID 1680 wrote to memory of 3052 1680 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAWVM.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Jload" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1276
-
-
-
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2256
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2984
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0M0N0Y2OTItNDg5Qi00MENBLUEwNUUtNTUyOTRDRjhBN0IzfSIgdXNlcmlkPSJ7M0UzRENFMDktMjAwQi00MkQxLTk5NzMtMkYwRDFGQkY1MjhEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTc0NEE4NDItNkY2MC00OTQzLUE1MTgtNEJEQjlDOURBRTc3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzk5NTgwNzMzIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4332
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD5bc18986a524cd5015b00135cbf312330
SHA165c0fa726aa3b129e2d94a5518186c3cd866f3c0
SHA256f27d92575749ef19cccc68a524662607f5be5ed2fb415fe7de4f4927f521709c
SHA512afae8a27a1c64fedd75e9786bbeb4fc8c21795bb2cfd23a749e8de3f102977b391186597d8892cce7be71360b264b22c38a2eaf9507375c1d4e75a5586e8db2e
-
Filesize
604KB
MD520e51c3b9b0bbbfc4d993cc77cfd9a26
SHA1fdeadda494c899b3daef0f78416014da89b62b91
SHA2569eab0ac0b9c7aedbf98853f0e0b91396610439890e9ccd53b3f335f0567a1ff7
SHA512c60acb4abcdc6a0f257028dd34946cad570a357fec2150ad42475b85557e6ab3650a9d39a10b45f92b9529c84e7069b89ded4ed3007a51ae556f42a034ecdcff