c27b2d312a9e203b0fca4df49aa1d9ef1c974764f6d46eaa85fba3616e61414a

General

Score

N/A

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

description
Token: SeDebugPrivilege

Modifies Winlogon for persistence 2 TTPs 1 IoCs

Modify Registry

description
\REGISTRY\USER\S-1-5-21-1548117458-596549244-604853198-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\EwmxaE49afjah0c4\\E44hqPj1QUe4.exe\",explorer.exe"

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

description	pid
PID 1312 wrote to memory of 1968	1968

Suspicious use of SetThreadContext 1 IoCs

description	pid
PID 1312 set thread context of 1968	1968

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

description	pid
PID 1968 wrote to memory of 552	552

Suspicious use of SetThreadContext 1 IoCs

description	pid
PID 1968 set thread context of 552	552