Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2025, 18:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe
-
Size
3.2MB
-
MD5
fa7e7d5edba288e9a95e4900206fbf70
-
SHA1
f6102046c18472bc0b693704f21f17e705dbc439
-
SHA256
0d517d250b9e225215ad9b645b58684833571f2ef66509ad7c18a7a47fec7f64
-
SHA512
04b110915bced26833878d7e8ad5a3d9db8f34c6de3a44038cbf496c49197482ebc0717c0ae1539f89a18043d401e3ff0afcff41326ee2c8b9d52119fca3cd8e
-
SSDEEP
49152:4NjcJogDk4FTI5d81YkJ0CoiLNyOEe9hl3qJaMScJ0:
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/1956-43-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-45-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-53-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-56-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-59-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-63-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-67-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-70-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-73-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-82-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-91-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral2/memory/1956-94-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\update.exe = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF} vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 35 4140 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe -
Executes dropped EXE 2 IoCs
pid Process 2400 update2.exe 4872 is63.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4872 set thread context of 3668 4872 is63.exe 89 PID 2400 set thread context of 1956 2400 update2.exe 91 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3008 MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4448 reg.exe 4624 reg.exe 3260 reg.exe 4868 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2400 update2.exe 4872 is63.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2400 update2.exe Token: SeDebugPrivilege 4872 is63.exe Token: 1 1956 vbc.exe Token: SeCreateTokenPrivilege 1956 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1956 vbc.exe Token: SeLockMemoryPrivilege 1956 vbc.exe Token: SeIncreaseQuotaPrivilege 1956 vbc.exe Token: SeMachineAccountPrivilege 1956 vbc.exe Token: SeTcbPrivilege 1956 vbc.exe Token: SeSecurityPrivilege 1956 vbc.exe Token: SeTakeOwnershipPrivilege 1956 vbc.exe Token: SeLoadDriverPrivilege 1956 vbc.exe Token: SeSystemProfilePrivilege 1956 vbc.exe Token: SeSystemtimePrivilege 1956 vbc.exe Token: SeProfSingleProcessPrivilege 1956 vbc.exe Token: SeIncBasePriorityPrivilege 1956 vbc.exe Token: SeCreatePagefilePrivilege 1956 vbc.exe Token: SeCreatePermanentPrivilege 1956 vbc.exe Token: SeBackupPrivilege 1956 vbc.exe Token: SeRestorePrivilege 1956 vbc.exe Token: SeShutdownPrivilege 1956 vbc.exe Token: SeDebugPrivilege 1956 vbc.exe Token: SeAuditPrivilege 1956 vbc.exe Token: SeSystemEnvironmentPrivilege 1956 vbc.exe Token: SeChangeNotifyPrivilege 1956 vbc.exe Token: SeRemoteShutdownPrivilege 1956 vbc.exe Token: SeUndockPrivilege 1956 vbc.exe Token: SeSyncAgentPrivilege 1956 vbc.exe Token: SeEnableDelegationPrivilege 1956 vbc.exe Token: SeManageVolumePrivilege 1956 vbc.exe Token: SeImpersonatePrivilege 1956 vbc.exe Token: SeCreateGlobalPrivilege 1956 vbc.exe Token: 31 1956 vbc.exe Token: 32 1956 vbc.exe Token: 33 1956 vbc.exe Token: 34 1956 vbc.exe Token: 35 1956 vbc.exe Token: SeDebugPrivilege 1956 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1956 vbc.exe 1956 vbc.exe 1956 vbc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 3876 wrote to memory of 2400 3876 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 86 PID 3876 wrote to memory of 2400 3876 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 86 PID 3876 wrote to memory of 2400 3876 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 86 PID 3876 wrote to memory of 4872 3876 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 88 PID 3876 wrote to memory of 4872 3876 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 88 PID 3876 wrote to memory of 4872 3876 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 88 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 4872 wrote to memory of 3668 4872 is63.exe 89 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 2400 wrote to memory of 1956 2400 update2.exe 91 PID 1956 wrote to memory of 3932 1956 vbc.exe 92 PID 1956 wrote to memory of 3932 1956 vbc.exe 92 PID 1956 wrote to memory of 3932 1956 vbc.exe 92 PID 1956 wrote to memory of 3036 1956 vbc.exe 93 PID 1956 wrote to memory of 3036 1956 vbc.exe 93 PID 1956 wrote to memory of 3036 1956 vbc.exe 93 PID 1956 wrote to memory of 5032 1956 vbc.exe 94 PID 1956 wrote to memory of 5032 1956 vbc.exe 94 PID 1956 wrote to memory of 5032 1956 vbc.exe 94 PID 1956 wrote to memory of 876 1956 vbc.exe 95 PID 1956 wrote to memory of 876 1956 vbc.exe 95 PID 1956 wrote to memory of 876 1956 vbc.exe 95 PID 876 wrote to memory of 4448 876 cmd.exe 101 PID 876 wrote to memory of 4448 876 cmd.exe 101 PID 876 wrote to memory of 4448 876 cmd.exe 101 PID 3036 wrote to memory of 3260 3036 cmd.exe 100 PID 3036 wrote to memory of 3260 3036 cmd.exe 100 PID 3036 wrote to memory of 3260 3036 cmd.exe 100 PID 3932 wrote to memory of 4624 3932 cmd.exe 102 PID 3932 wrote to memory of 4624 3932 cmd.exe 102 PID 3932 wrote to memory of 4624 3932 cmd.exe 102 PID 5032 wrote to memory of 4868 5032 cmd.exe 103 PID 5032 wrote to memory of 4868 5032 cmd.exe 103 PID 5032 wrote to memory of 4868 5032 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\update2.exe"C:\Users\Admin\AppData\Local\Temp\update2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3260
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4448
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is63.exe"C:\Users\Admin\AppData\Local\Temp\is63.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
PID:3668
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Njk1OTQ0MDEtOUU0Ny00OUNDLThGMUUtNzc3OTJGQUIyNTdCfSIgdXNlcmlkPSJ7MTgyQUQxRjMtOEZFRi00RUZDLUJEQjktQzJDQkQyQ0YyREVEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjM1MEQyRjYtMDhEMi00ODZELUI3RUMtOUJCRTU0MkY0NDcxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzk5NzY3MDI4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3008
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612KB
MD55151fc17f564a6957f7638fac81b4189
SHA1cbae925ff16608cfd4bd1a9b65bd6db3f0acefc6
SHA2565c94615a6a6fe91013284e519a5168cb9d331a02d2232e0c16b31bc1647e3c72
SHA512f379dcd542ec3a59b5b91e38c2c1d3d2d99cf118f49e00d6195c3c4bee601ad2b46f30eeacf02db73bb0fcdb65128b1bc569a073e0f7aea874545c9faa01b5ca
-
Filesize
592KB
MD5773b23201407b8009404952159e8dc27
SHA152a48f92fd40530da17066b291bef66b6fae8f8a
SHA2565aa6487ff9ed17b6eca8e973bc829ff436bfd6cfb9b037a46bc7d3ab75001b9d
SHA512279171274dad941f91325e5c704eb556cf9ef180dda77754d50fe884ccea4b952d3f1ff5bc3e9b900fa48fc0098cad284630529fe202713d76e3f3f26be7d06e