Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2025, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe
-
Size
308KB
-
MD5
f82ac35bf52d1f5ad8f6b5f29acb3f28
-
SHA1
4a9ac9912e1f0ca668f2da7913b4533104fb531d
-
SHA256
a7f883e29e6f9210ef7546e715bd25aac14679d251ddf8b1a22d15b47c7e790a
-
SHA512
1d82ee03ae41690e74b3aa0360dc671cc15b0d8e930992ce05429748b5f7f4d21587e0fadb9b4189360609e5719403a08a543facc05e8c81d1cfb24c7084e330
-
SSDEEP
6144:8IlNxDlbni74D1CXWFyZEyaz3ZG7UVfuc96FeG39B85VDyqbr00:DbxDJxCcaRq3B56k5VDyu40
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 15 IoCs
resource yara_rule behavioral2/memory/2428-12-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-20-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-26-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-25-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-27-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-28-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-36-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-40-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-45-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-48-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-51-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-55-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-61-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-64-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/2428-71-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\CCC..exe = "C:\\Users\\Admin\\AppData\\Roaming\\CCC..exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\CCC..exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A61EDA5-1ABF-F1EE-CCCA-70FA4D232211} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A61EDA5-1ABF-F1EE-CCCA-70FA4D232211}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\CCC..exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9A61EDA5-1ABF-F1EE-CCCA-70FA4D232211} vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9A61EDA5-1ABF-F1EE-CCCA-70FA4D232211}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\CCC..exe" vbc.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 35 676 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2428 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\CCC..exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\CCC..exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2892 set thread context of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 -
resource yara_rule behavioral2/memory/2428-6-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-9-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-12-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-20-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-26-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-25-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-27-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-28-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-36-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-40-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-45-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-48-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-51-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-55-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-61-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-64-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2428-71-0x0000000000400000-0x0000000000473000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2328 MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4928 reg.exe 5092 reg.exe 2948 reg.exe 3180 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2428 vbc.exe Token: SeCreateTokenPrivilege 2428 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2428 vbc.exe Token: SeLockMemoryPrivilege 2428 vbc.exe Token: SeIncreaseQuotaPrivilege 2428 vbc.exe Token: SeMachineAccountPrivilege 2428 vbc.exe Token: SeTcbPrivilege 2428 vbc.exe Token: SeSecurityPrivilege 2428 vbc.exe Token: SeTakeOwnershipPrivilege 2428 vbc.exe Token: SeLoadDriverPrivilege 2428 vbc.exe Token: SeSystemProfilePrivilege 2428 vbc.exe Token: SeSystemtimePrivilege 2428 vbc.exe Token: SeProfSingleProcessPrivilege 2428 vbc.exe Token: SeIncBasePriorityPrivilege 2428 vbc.exe Token: SeCreatePagefilePrivilege 2428 vbc.exe Token: SeCreatePermanentPrivilege 2428 vbc.exe Token: SeBackupPrivilege 2428 vbc.exe Token: SeRestorePrivilege 2428 vbc.exe Token: SeShutdownPrivilege 2428 vbc.exe Token: SeDebugPrivilege 2428 vbc.exe Token: SeAuditPrivilege 2428 vbc.exe Token: SeSystemEnvironmentPrivilege 2428 vbc.exe Token: SeChangeNotifyPrivilege 2428 vbc.exe Token: SeRemoteShutdownPrivilege 2428 vbc.exe Token: SeUndockPrivilege 2428 vbc.exe Token: SeSyncAgentPrivilege 2428 vbc.exe Token: SeEnableDelegationPrivilege 2428 vbc.exe Token: SeManageVolumePrivilege 2428 vbc.exe Token: SeImpersonatePrivilege 2428 vbc.exe Token: SeCreateGlobalPrivilege 2428 vbc.exe Token: 31 2428 vbc.exe Token: 32 2428 vbc.exe Token: 33 2428 vbc.exe Token: 34 2428 vbc.exe Token: 35 2428 vbc.exe Token: SeDebugPrivilege 2428 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2428 vbc.exe 2428 vbc.exe 2428 vbc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2892 wrote to memory of 2428 2892 JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe 88 PID 2428 wrote to memory of 3820 2428 vbc.exe 91 PID 2428 wrote to memory of 3820 2428 vbc.exe 91 PID 2428 wrote to memory of 3820 2428 vbc.exe 91 PID 2428 wrote to memory of 4584 2428 vbc.exe 92 PID 2428 wrote to memory of 4584 2428 vbc.exe 92 PID 2428 wrote to memory of 4584 2428 vbc.exe 92 PID 2428 wrote to memory of 2548 2428 vbc.exe 93 PID 2428 wrote to memory of 2548 2428 vbc.exe 93 PID 2428 wrote to memory of 2548 2428 vbc.exe 93 PID 2428 wrote to memory of 2544 2428 vbc.exe 94 PID 2428 wrote to memory of 2544 2428 vbc.exe 94 PID 2428 wrote to memory of 2544 2428 vbc.exe 94 PID 4584 wrote to memory of 2948 4584 cmd.exe 99 PID 4584 wrote to memory of 2948 4584 cmd.exe 99 PID 4584 wrote to memory of 2948 4584 cmd.exe 99 PID 2544 wrote to memory of 5092 2544 cmd.exe 100 PID 2544 wrote to memory of 5092 2544 cmd.exe 100 PID 2544 wrote to memory of 5092 2544 cmd.exe 100 PID 3820 wrote to memory of 3180 3820 cmd.exe 101 PID 3820 wrote to memory of 3180 3820 cmd.exe 101 PID 3820 wrote to memory of 3180 3820 cmd.exe 101 PID 2548 wrote to memory of 4928 2548 cmd.exe 102 PID 2548 wrote to memory of 4928 2548 cmd.exe 102 PID 2548 wrote to memory of 4928 2548 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CCC..exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CCC..exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CCC..exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CCC..exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5092
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core1⤵
- System Location Discovery: System Language Discovery
PID:3232
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEQzRTk0MzItODM2Mi00RjM0LUIzNjItMjU0QTMyNzU2MkE3fSIgdXNlcmlkPSJ7ODM5MTc3ODEtODFFNy00N0IwLUI0REMtNzE2M0I4MkYxNDI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTQ2QTU2QUMtRTJBOC00MjUzLTlBNkQtRDFGOUZGNjZGQkRCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTc5NTYxMjQyIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2328
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD5e2048d49d02a279d8387492340605d8d
SHA120450d32666afa16660e6b86131fd4a63330f345
SHA25640991d396c0eab6a26909e924090a48c33901c6853406c8dccbf79016cf06c66
SHA5125acd2132e89eda342c1a036754f6fe0df38ed169b3c375e1835cc9aa56bdd2f9ab4af51871f9eab16484a4eaed63be6bc50cc78f785d52e582b9be8a02dcfc98
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
308KB
MD5f82ac35bf52d1f5ad8f6b5f29acb3f28
SHA14a9ac9912e1f0ca668f2da7913b4533104fb531d
SHA256a7f883e29e6f9210ef7546e715bd25aac14679d251ddf8b1a22d15b47c7e790a
SHA5121d82ee03ae41690e74b3aa0360dc671cc15b0d8e930992ce05429748b5f7f4d21587e0fadb9b4189360609e5719403a08a543facc05e8c81d1cfb24c7084e330