Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2025, 05:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe
-
Size
132KB
-
MD5
6efe7ba276bf3ee57360d5ff18dfd4e5
-
SHA1
46cd6a509b65dae6e878f3b153044df8859aa02e
-
SHA256
9ad1ef62f129aef3a0636f3c3452487edcaeb64c7a98550e139a1f20a69f3930
-
SHA512
1007fefa4d1a2b80511fed2b9fedb71b99b566012f793488ab14bd3a00fb77fd06617eee800698f49c4914181dc22788f382b898077a1db753ab2d33cbc4e27c
-
SSDEEP
1536:2hSGNSvE7ZLp9NSQRG12fAh4S2z/+cgPkF3k49+s+l0nw2G7CDYB1QG7uAFHGPHP:2KEdl9USlSGWjP219+7B2iQGaucH
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 17 IoCs
resource yara_rule behavioral2/memory/1960-3-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-28-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-31-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-32-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-57-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-82-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-103-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-126-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-150-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-171-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-194-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-218-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-237-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-260-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-286-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-307-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades behavioral2/memory/1960-330-0x0000000000400000-0x000000000044D000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\win32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\win32.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\win32.exe" JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\win32.exe" JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\win32.exe" JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 400 set thread context of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 -
resource yara_rule behavioral2/memory/1960-0-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-2-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-3-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-4-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-28-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-31-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-32-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-57-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-82-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-103-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-126-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-150-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-171-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-194-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-218-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-237-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-260-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-286-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-307-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1960-330-0x0000000000400000-0x000000000044D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3036 reg.exe 1708 reg.exe 3076 reg.exe 1532 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeCreateTokenPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeAssignPrimaryTokenPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeLockMemoryPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeIncreaseQuotaPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeMachineAccountPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeTcbPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeSecurityPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeTakeOwnershipPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeLoadDriverPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeSystemProfilePrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeSystemtimePrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeProfSingleProcessPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeIncBasePriorityPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeCreatePagefilePrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeCreatePermanentPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeBackupPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeRestorePrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeShutdownPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeDebugPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeAuditPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeSystemEnvironmentPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeChangeNotifyPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeRemoteShutdownPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeUndockPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeSyncAgentPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeEnableDelegationPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeManageVolumePrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeImpersonatePrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: SeCreateGlobalPrivilege 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: 31 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: 32 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: 33 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: 34 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe Token: 35 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 400 wrote to memory of 1960 400 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 90 PID 1960 wrote to memory of 4760 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 91 PID 1960 wrote to memory of 4760 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 91 PID 1960 wrote to memory of 4760 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 91 PID 1960 wrote to memory of 2152 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 92 PID 1960 wrote to memory of 2152 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 92 PID 1960 wrote to memory of 2152 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 92 PID 1960 wrote to memory of 3892 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 93 PID 1960 wrote to memory of 3892 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 93 PID 1960 wrote to memory of 3892 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 93 PID 1960 wrote to memory of 1560 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 94 PID 1960 wrote to memory of 1560 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 94 PID 1960 wrote to memory of 1560 1960 JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe 94 PID 4760 wrote to memory of 1708 4760 cmd.exe 100 PID 2152 wrote to memory of 3076 2152 cmd.exe 99 PID 4760 wrote to memory of 1708 4760 cmd.exe 100 PID 2152 wrote to memory of 3076 2152 cmd.exe 99 PID 4760 wrote to memory of 1708 4760 cmd.exe 100 PID 2152 wrote to memory of 3076 2152 cmd.exe 99 PID 1560 wrote to memory of 1532 1560 cmd.exe 101 PID 1560 wrote to memory of 1532 1560 cmd.exe 101 PID 1560 wrote to memory of 1532 1560 cmd.exe 101 PID 3892 wrote to memory of 3036 3892 cmd.exe 102 PID 3892 wrote to memory of 3036 3892 cmd.exe 102 PID 3892 wrote to memory of 3036 3892 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6efe7ba276bf3ee57360d5ff18dfd4e5.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\win32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\win32.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\win32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\win32.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1532
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD53e87347eab902aaf04436ff5491d5e75
SHA16169bdb5c0615828960a23ffd6b535d0ff3beab3
SHA256873606da03e2acd6064d3cbb182a1ca86cbcdcea8467ba3d2dab00f594d3d4f1
SHA512f1d0d67ef55a1f088c0a549d42d9efddeda39b44e0f139fd3f3713926e82517998cc429f60ce90df1897c4edc2d319263c1e3ab0377e4a7043d7bc076be059ca
-
Filesize
132KB
MD56efe7ba276bf3ee57360d5ff18dfd4e5
SHA146cd6a509b65dae6e878f3b153044df8859aa02e
SHA2569ad1ef62f129aef3a0636f3c3452487edcaeb64c7a98550e139a1f20a69f3930
SHA5121007fefa4d1a2b80511fed2b9fedb71b99b566012f793488ab14bd3a00fb77fd06617eee800698f49c4914181dc22788f382b898077a1db753ab2d33cbc4e27c