Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/02/2025, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2392316e710472968d2547c5165a878a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2392316e710472968d2547c5165a878a.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_2392316e710472968d2547c5165a878a.exe
-
Size
576KB
-
MD5
2392316e710472968d2547c5165a878a
-
SHA1
2401e6cddd3196e1c3d6db94dfc47af43798ef54
-
SHA256
706de930537df09595f349deb66e26126a1ece049bcb1f8cea52dfe190ae8820
-
SHA512
c85e41342c771f31c8cc41adb4e508c823569c357d9840fe2c574857ad29862097516c1a7f8a77ab94bf9be98b044a4875ba5247dc65b70c436deb0e667af16a
-
SSDEEP
12288:jECAPL1qjQudTZVsMw3+tZuq8X+HQ2yOUQMcMH3S:gCAPcj5Xw3+tQXAQ2yOUQMT3S
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 13 IoCs
resource yara_rule behavioral1/memory/540-25-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-21-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-33-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-34-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-36-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-37-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-41-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-44-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-46-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-48-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-53-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-62-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/540-65-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_2392316e710472968d2547c5165a878a.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_2392316e710472968d2547c5165a878a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Systems = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe" JaffaCakes118_2392316e710472968d2547c5165a878a.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5253AEE-3F5D-BBBD-DCA0-E5EADBDC3FDC} JaffaCakes118_2392316e710472968d2547c5165a878a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5253AEE-3F5D-BBBD-DCA0-E5EADBDC3FDC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe" JaffaCakes118_2392316e710472968d2547c5165a878a.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5253AEE-3F5D-BBBD-DCA0-E5EADBDC3FDC} JaffaCakes118_2392316e710472968d2547c5165a878a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components\{E5253AEE-3F5D-BBBD-DCA0-E5EADBDC3FDC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe" JaffaCakes118_2392316e710472968d2547c5165a878a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Systems = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe" JaffaCakes118_2392316e710472968d2547c5165a878a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Systems = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe" JaffaCakes118_2392316e710472968d2547c5165a878a.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_2392316e710472968d2547c5165a878a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1936 set thread context of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 3060 set thread context of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2392316e710472968d2547c5165a878a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2392316e710472968d2547c5165a878a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2392316e710472968d2547c5165a878a.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2872 reg.exe 2900 reg.exe 2772 reg.exe 2876 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeCreateTokenPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeAssignPrimaryTokenPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeLockMemoryPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeIncreaseQuotaPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeMachineAccountPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeTcbPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeSecurityPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeTakeOwnershipPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeLoadDriverPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeSystemProfilePrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeSystemtimePrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeProfSingleProcessPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeIncBasePriorityPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeCreatePagefilePrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeCreatePermanentPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeBackupPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeRestorePrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeShutdownPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeDebugPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeAuditPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeSystemEnvironmentPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeChangeNotifyPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeRemoteShutdownPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeUndockPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeSyncAgentPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeEnableDelegationPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeManageVolumePrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeImpersonatePrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeCreateGlobalPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: 31 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: 32 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: 33 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: 34 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: 35 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe Token: SeDebugPrivilege 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 1936 wrote to memory of 3060 1936 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 31 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 3060 wrote to memory of 540 3060 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 32 PID 540 wrote to memory of 2752 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 33 PID 540 wrote to memory of 2752 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 33 PID 540 wrote to memory of 2752 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 33 PID 540 wrote to memory of 2752 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 33 PID 540 wrote to memory of 2716 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 34 PID 540 wrote to memory of 2716 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 34 PID 540 wrote to memory of 2716 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 34 PID 540 wrote to memory of 2716 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 34 PID 540 wrote to memory of 2828 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 36 PID 540 wrote to memory of 2828 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 36 PID 540 wrote to memory of 2828 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 36 PID 540 wrote to memory of 2828 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 36 PID 540 wrote to memory of 2856 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 38 PID 540 wrote to memory of 2856 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 38 PID 540 wrote to memory of 2856 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 38 PID 540 wrote to memory of 2856 540 JaffaCakes118_2392316e710472968d2547c5165a878a.exe 38 PID 2752 wrote to memory of 2900 2752 cmd.exe 42 PID 2752 wrote to memory of 2900 2752 cmd.exe 42 PID 2752 wrote to memory of 2900 2752 cmd.exe 42 PID 2752 wrote to memory of 2900 2752 cmd.exe 42 PID 2828 wrote to memory of 2872 2828 cmd.exe 41 PID 2828 wrote to memory of 2872 2828 cmd.exe 41 PID 2828 wrote to memory of 2872 2828 cmd.exe 41 PID 2828 wrote to memory of 2872 2828 cmd.exe 41 PID 2856 wrote to memory of 2876 2856 cmd.exe 43 PID 2856 wrote to memory of 2876 2856 cmd.exe 43 PID 2856 wrote to memory of 2876 2856 cmd.exe 43 PID 2856 wrote to memory of 2876 2856 cmd.exe 43 PID 2716 wrote to memory of 2772 2716 cmd.exe 44 PID 2716 wrote to memory of 2772 2716 cmd.exe 44 PID 2716 wrote to memory of 2772 2716 cmd.exe 44 PID 2716 wrote to memory of 2772 2716 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2392316e710472968d2547c5165a878a.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2876
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1