blackshades | 545f929e2befbaa0cebbddfb67c612a4e1363be1fde222e8271bd8fa324f2a5c

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Size

812KB
MD5

32cd46571103505d4e8d3792c9940d0f
SHA1

6bc3c6caadf790731094740d01a9ff971a24a5af
SHA256

545f929e2befbaa0cebbddfb67c612a4e1363be1fde222e8271bd8fa324f2a5c
SHA512

b6387a5454f528c61b0f07ad5b4b49a13ad3ed19508deebb5535dfbb81e4f1ff952fa360fbf4030b9c216b0ae8994b670c963cc278bb2008ae06400222c6c91e
SSDEEP

12288:l6Q8oSIgiypnOyJLu/BhW1gXAY39ZiGHUQaLBb5byhQxNiMhh5QJpbKZwZLpKUtx:JdxT

Score

10^/10

blackshades latentbot defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

latentbot

symantechantivirus.zapto.org

1symantechantivirus.zapto.org

2symantechantivirus.zapto.org

3symantechantivirus.zapto.org

4symantechantivirus.zapto.org

5symantechantivirus.zapto.org

6symantechantivirus.zapto.org

7symantechantivirus.zapto.org

8symantechantivirus.zapto.org

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 16 IoCs

resource	yara_rule
behavioral2/memory/916-7-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-6-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-13-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-15-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-17-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-18-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-19-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-21-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-22-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-23-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-25-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-26-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-27-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-29-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-30-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/916-31-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\newegg.exe = "C:\\Users\\Admin\\AppData\\Roaming\\newegg.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\newegg.exe"	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\newegg.exe"	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\newegg.exe"	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/916-4-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-7-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-5-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-2-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-6-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-13-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-15-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-17-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-18-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-19-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-21-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-22-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-23-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-25-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-26-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-27-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-29-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-30-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/916-31-0x0000000000400000-0x0000000000473000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2708	reg.exe
2076	reg.exe
3196	reg.exe
4752	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeCreateTokenPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeAssignPrimaryTokenPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeLockMemoryPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeIncreaseQuotaPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeMachineAccountPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeTcbPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeSecurityPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeTakeOwnershipPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeLoadDriverPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeSystemProfilePrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeSystemtimePrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeProfSingleProcessPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeIncBasePriorityPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeCreatePagefilePrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeCreatePermanentPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeBackupPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeRestorePrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeShutdownPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeDebugPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeAuditPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeSystemEnvironmentPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeChangeNotifyPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeRemoteShutdownPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeUndockPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeSyncAgentPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeEnableDelegationPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeManageVolumePrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeImpersonatePrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: SeCreateGlobalPrivilege	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: 31	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: 32	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: 33	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: 34	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
Token: 35	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 1468 wrote to memory of 916	1468	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	92
PID 916 wrote to memory of 4412	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	93
PID 916 wrote to memory of 4412	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	93
PID 916 wrote to memory of 4412	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	93
PID 916 wrote to memory of 2556	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	94
PID 916 wrote to memory of 2556	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	94
PID 916 wrote to memory of 2556	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	94
PID 916 wrote to memory of 3152	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	95
PID 916 wrote to memory of 3152	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	95
PID 916 wrote to memory of 3152	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	95
PID 916 wrote to memory of 736	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	96
PID 916 wrote to memory of 736	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	96
PID 916 wrote to memory of 736	916	JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe	96
PID 2556 wrote to memory of 3196	2556	cmd.exe	101
PID 2556 wrote to memory of 3196	2556	cmd.exe	101
PID 2556 wrote to memory of 3196	2556	cmd.exe	101
PID 3152 wrote to memory of 2708	3152	cmd.exe	102
PID 3152 wrote to memory of 2708	3152	cmd.exe	102
PID 3152 wrote to memory of 2708	3152	cmd.exe	102
PID 4412 wrote to memory of 4752	4412	cmd.exe	103
PID 4412 wrote to memory of 4752	4412	cmd.exe	103
PID 4412 wrote to memory of 4752	4412	cmd.exe	103
PID 736 wrote to memory of 2076	736	cmd.exe	104
PID 736 wrote to memory of 2076	736	cmd.exe	104
PID 736 wrote to memory of 2076	736	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32cd46571103505d4e8d3792c9940d0f.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\newegg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newegg.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\newegg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newegg.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-4-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-2-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-13-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-17-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-18-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-23-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-25-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/916-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads