Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 15:07
Static task
static1
Behavioral task
behavioral1
Sample
COMANDA URGENTA.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
COMANDA URGENTA.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240709-en
General
-
Target
COMANDA URGENTA.exe
-
Size
620KB
-
MD5
b409d2fd594633bc71e64da08aed9951
-
SHA1
c6f38e204419c12044e34baf398030b76e616a2f
-
SHA256
c605bbb80497f649c14f03846249dbe6c72ac434ec1e1ef9292e80f1d92b832b
-
SHA512
b234f0a848c3d775cde23d4965084714fe13b3dd076f3749213e0f55a3f69cad302bebd2db2ce189333f85b4d81554dffc74b58553120251acb0f2ce6b03ecf6
-
SSDEEP
12288:9vxwRbB0H5KUjUPKCuO+ggobwxbAW07FN3WNZt:9vx6bB0ZqAHgDSbxQFN3WDt
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7169426142:AAG_Nuf4vFdD3YALIW-rE-UaNUDVey15SPM/sendMessage?chat_id=1545867115
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1740-675-0x0000000000830000-0x0000000001A84000-memory.dmp family_snakekeylogger behavioral2/memory/1740-676-0x0000000000830000-0x0000000000856000-memory.dmp family_snakekeylogger -
Disables RegEdit via registry modification 1 IoCs
Processes:
REG.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" REG.exe -
Loads dropped DLL 64 IoCs
Processes:
COMANDA URGENTA.exepid process 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe 3716 COMANDA URGENTA.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
COMANDA URGENTA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COMANDA URGENTA.exe Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COMANDA URGENTA.exe Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COMANDA URGENTA.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
COMANDA URGENTA.exepid process 1740 COMANDA URGENTA.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
COMANDA URGENTA.exeCOMANDA URGENTA.exepid process 3716 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
COMANDA URGENTA.exedescription pid process target process PID 3716 set thread context of 1740 3716 COMANDA URGENTA.exe COMANDA URGENTA.exe -
Drops file in Program Files directory 1 IoCs
Processes:
COMANDA URGENTA.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\ideologised\responseless.hvo COMANDA URGENTA.exe -
Drops file in Windows directory 1 IoCs
Processes:
COMANDA URGENTA.exedescription ioc process File opened for modification C:\Windows\resources\postnaris\Omsaetningen.ini COMANDA URGENTA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
COMANDA URGENTA.exepid process 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe 1740 COMANDA URGENTA.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
COMANDA URGENTA.exepid process 3716 COMANDA URGENTA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
COMANDA URGENTA.exedescription pid process Token: SeDebugPrivilege 1740 COMANDA URGENTA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
COMANDA URGENTA.exedescription pid process target process PID 3716 wrote to memory of 4416 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4416 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4416 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2372 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2372 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2372 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 1536 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 1536 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 1536 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2836 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2836 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2836 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 1604 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 1604 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 1604 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 768 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 768 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 768 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4420 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4420 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4420 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 640 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 640 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 640 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3656 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3656 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3656 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2528 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2528 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2528 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3324 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3324 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3324 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2880 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2880 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2880 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4356 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4356 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4356 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4520 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4520 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4520 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2748 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2748 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2748 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2544 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2544 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2544 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2040 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2040 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 2040 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3932 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3932 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 3932 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 5100 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 5100 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 5100 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4536 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4536 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4536 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4816 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4816 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4816 3716 COMANDA URGENTA.exe cmd.exe PID 3716 wrote to memory of 4436 3716 COMANDA URGENTA.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
COMANDA URGENTA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COMANDA URGENTA.exe -
outlook_win_path 1 IoCs
Processes:
COMANDA URGENTA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COMANDA URGENTA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COMANDA URGENTA.exe"C:\Users\Admin\AppData\Local\Temp\COMANDA URGENTA.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:4416
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2372
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:1536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:2836
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:768
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:4420
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:640
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:3656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵PID:3324
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4356
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:4520
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:2544
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:2040
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:5100
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:4816
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:4436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "220^177"2⤵PID:4508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2572
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:216
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:3612
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3292
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3448
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4868
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4172
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2116
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:716
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:4048
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4476
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1700
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4104
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3580
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2196
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1308
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4124
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4396
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4904
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3744
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2312
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4908
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵PID:4884
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3312
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2472
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2172
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:520
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3596
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3768
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:5004
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:872
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:4848
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1860
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4844
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2240
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3824
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4284
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:1852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:4112
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:116
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:4936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:3980
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:612
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:4176
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:2284
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:4500
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:3556
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "231^177"2⤵PID:5084
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:4192
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:3308
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵PID:2128
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:780
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:3580
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:3888
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:736
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:1344
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:5028
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵PID:4380
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:1600
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1800
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4296
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2480
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3524
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:740
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:4964
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:3220
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2008
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2116
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:3656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:2528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1000
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1708
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4248
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1532
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2500
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:1860
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4400
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1308
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4036
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4284
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3744
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4908
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:2840
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:3416
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1960
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:3928
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵PID:3196
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:4540
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3012
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:4420
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:640
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:3584
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:5092
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:4048
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:1404
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:3384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:3592
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:3188
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1564
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:4360
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "226^177"2⤵PID:3932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:1572
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:1528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:4264
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4548
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:4724
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:4840
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:3292
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2672
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:3940
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4156
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:3656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4040
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3444
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:872
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4248
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:4104
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:1180
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:1640
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4812
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1716
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:5028
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4112
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4920
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3464
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:3612
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4660
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:2736
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3560
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2524
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:4820
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:4496
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2664
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:3036
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:1184
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:5004
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:2012
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:1792
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:3056
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2500
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:780
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:3580
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:1308
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵PID:4656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:4304
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2368
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:3988
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:2024
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4564
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1204
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2872
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3960
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4288
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1160
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:616
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:3556
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1856
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4748
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3588
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:3364
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:2040
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:408
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:3628
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:3820
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:4536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:2028
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4392
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "155^177"2⤵PID:1696
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3476
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3484
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4364
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4908
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2840
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3012
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:4420
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:4580
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:452
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:1700
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵PID:2980
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "194^177"2⤵PID:3592
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:3188
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:780
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:2880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1308
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:4656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵PID:3140
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:376
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:2508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:4932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "230^177"2⤵PID:3492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4472
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵PID:1960
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵PID:3928
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:1216
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "198^177"2⤵PID:4540
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵PID:1392
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:668
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:4496
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵PID:1928
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:4556
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:388
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1200
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2128
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:3536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1336
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2952
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1240
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4396
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:116
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4664
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:264
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4516
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4992
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4244
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4868
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:404
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4500
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:3324
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\COMANDA URGENTA.exe"C:\Users\Admin\AppData\Local\Temp\COMANDA URGENTA.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1740 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5bff2a11d26d951ec34679b8fa1ee7192
SHA1d3de629a5a86ee35b6afa1802f6ac8b141b07062
SHA256aec5af9c7c551c3590492b0c0120b535b55ab048e84f695b617a5ab4b1a52f54
SHA5121dce397c9cab3cd3b58c181688286a89067c743f195403694819c2d988435268ffd01939beaaa17cfa344160c89414f28273b70de154be0def034af8c470723a
-
Filesize
6KB
MD5fdee755c4987e9859e0eec130ee22efd
SHA1ba32823881a98da6b92eee1d866be2b3a20c6e5d
SHA256e18984e78d58b2383f2c1e8ed0000088ee8d9d469345383618f179176fcddff6
SHA51231ba3dad22fd9b78ab3f6017c4373c923d048cf0c010900a131c4533ef185d408a88052aa4cf6184dbe484d44aab9cfa94a052185cf0b9ad19286ed921e4723f