Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:36
Static task
static1
Behavioral task
behavioral1
Sample
f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe
Resource
win10v2004-20240802-en
General
-
Target
f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe
-
Size
1.8MB
-
MD5
6a17d8dd4cbfddeb2054c738173e4f18
-
SHA1
99d65d7d306682167f446526d1b0184bc92667ad
-
SHA256
f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615
-
SHA512
26e10fa641483690804bd61e5a9c25bf196521a003a7682807d5438be0f4bf43383682dbeae2df339c30545beef0e8b8719505ef286dc2b4c764d2ad143081d6
-
SSDEEP
49152:RNMqQ0kwonLVkZep9nWrPWwONrRoODiGgDWAg2CPaSAnYvJW3BTSXff6YNQVWIP7:RiqQ0kwonLVkZep9nWrPWwONrRoODiGo
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe -
Executes dropped EXE 3 IoCs
pid Process 3428 Firefox.exe 2368 Firefox.exe 1104 Firefox.exe -
resource yara_rule behavioral2/memory/2368-31-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/2368-36-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/2368-34-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/1104-40-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1104-45-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1104-43-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2368-50-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/1104-51-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2368-52-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/2368-54-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/2368-57-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/2368-59-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/2368-64-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/2368-80-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3428 set thread context of 2368 3428 Firefox.exe 87 PID 3428 set thread context of 1104 3428 Firefox.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Firefox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Firefox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Firefox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 628 reg.exe 3300 reg.exe 1768 reg.exe 4720 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2368 Firefox.exe Token: SeCreateTokenPrivilege 2368 Firefox.exe Token: SeAssignPrimaryTokenPrivilege 2368 Firefox.exe Token: SeLockMemoryPrivilege 2368 Firefox.exe Token: SeIncreaseQuotaPrivilege 2368 Firefox.exe Token: SeMachineAccountPrivilege 2368 Firefox.exe Token: SeTcbPrivilege 2368 Firefox.exe Token: SeSecurityPrivilege 2368 Firefox.exe Token: SeTakeOwnershipPrivilege 2368 Firefox.exe Token: SeLoadDriverPrivilege 2368 Firefox.exe Token: SeSystemProfilePrivilege 2368 Firefox.exe Token: SeSystemtimePrivilege 2368 Firefox.exe Token: SeProfSingleProcessPrivilege 2368 Firefox.exe Token: SeIncBasePriorityPrivilege 2368 Firefox.exe Token: SeCreatePagefilePrivilege 2368 Firefox.exe Token: SeCreatePermanentPrivilege 2368 Firefox.exe Token: SeBackupPrivilege 2368 Firefox.exe Token: SeRestorePrivilege 2368 Firefox.exe Token: SeShutdownPrivilege 2368 Firefox.exe Token: SeDebugPrivilege 2368 Firefox.exe Token: SeAuditPrivilege 2368 Firefox.exe Token: SeSystemEnvironmentPrivilege 2368 Firefox.exe Token: SeChangeNotifyPrivilege 2368 Firefox.exe Token: SeRemoteShutdownPrivilege 2368 Firefox.exe Token: SeUndockPrivilege 2368 Firefox.exe Token: SeSyncAgentPrivilege 2368 Firefox.exe Token: SeEnableDelegationPrivilege 2368 Firefox.exe Token: SeManageVolumePrivilege 2368 Firefox.exe Token: SeImpersonatePrivilege 2368 Firefox.exe Token: SeCreateGlobalPrivilege 2368 Firefox.exe Token: 31 2368 Firefox.exe Token: 32 2368 Firefox.exe Token: 33 2368 Firefox.exe Token: 34 2368 Firefox.exe Token: 35 2368 Firefox.exe Token: SeDebugPrivilege 1104 Firefox.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4936 f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe 3428 Firefox.exe 2368 Firefox.exe 2368 Firefox.exe 1104 Firefox.exe 2368 Firefox.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4936 wrote to memory of 2144 4936 f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe 82 PID 4936 wrote to memory of 2144 4936 f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe 82 PID 4936 wrote to memory of 2144 4936 f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe 82 PID 2144 wrote to memory of 852 2144 cmd.exe 85 PID 2144 wrote to memory of 852 2144 cmd.exe 85 PID 2144 wrote to memory of 852 2144 cmd.exe 85 PID 4936 wrote to memory of 3428 4936 f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe 86 PID 4936 wrote to memory of 3428 4936 f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe 86 PID 4936 wrote to memory of 3428 4936 f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe 86 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 2368 3428 Firefox.exe 87 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 3428 wrote to memory of 1104 3428 Firefox.exe 88 PID 2368 wrote to memory of 2172 2368 Firefox.exe 89 PID 2368 wrote to memory of 2172 2368 Firefox.exe 89 PID 2368 wrote to memory of 2172 2368 Firefox.exe 89 PID 2368 wrote to memory of 2472 2368 Firefox.exe 90 PID 2368 wrote to memory of 2472 2368 Firefox.exe 90 PID 2368 wrote to memory of 2472 2368 Firefox.exe 90 PID 2368 wrote to memory of 4852 2368 Firefox.exe 91 PID 2368 wrote to memory of 4852 2368 Firefox.exe 91 PID 2368 wrote to memory of 4852 2368 Firefox.exe 91 PID 2368 wrote to memory of 1912 2368 Firefox.exe 94 PID 2368 wrote to memory of 1912 2368 Firefox.exe 94 PID 2368 wrote to memory of 1912 2368 Firefox.exe 94 PID 2472 wrote to memory of 628 2472 cmd.exe 97 PID 2472 wrote to memory of 628 2472 cmd.exe 97 PID 2472 wrote to memory of 628 2472 cmd.exe 97 PID 2172 wrote to memory of 3300 2172 cmd.exe 98 PID 2172 wrote to memory of 3300 2172 cmd.exe 98 PID 2172 wrote to memory of 3300 2172 cmd.exe 98 PID 1912 wrote to memory of 1768 1912 cmd.exe 99 PID 1912 wrote to memory of 1768 1912 cmd.exe 99 PID 1912 wrote to memory of 1768 1912 cmd.exe 99 PID 4852 wrote to memory of 4720 4852 cmd.exe 100 PID 4852 wrote to memory of 4720 4852 cmd.exe 100 PID 4852 wrote to memory of 4720 4852 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe"C:\Users\Admin\AppData\Local\Temp\f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMHVu.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:852
-
-
-
C:\Users\Admin\AppData\Roaming\Firefox.exe"C:\Users\Admin\AppData\Roaming\Firefox.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Roaming\Firefox.exeC:\Users\Admin\AppData\Roaming\Firefox.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1768
-
-
-
-
C:\Users\Admin\AppData\Roaming\Firefox.exeC:\Users\Admin\AppData\Roaming\Firefox.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Requestsoukchayt2.no-ip.orgIN AResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
-
66 B 126 B 1 1
DNS Request
soukchayt2.no-ip.org
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD5962bc493b87f298696ad6e3eed7c7937
SHA1985cc0c7e37e2465c4349abd528e120663ebd205
SHA256c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01
SHA5129dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173
-
Filesize
1.8MB
MD554d782abe69fd5aa4d0d3e1b4a10fb82
SHA1974ef4adef5b2b8c152d4db9804c501e739a1fa2
SHA256c8c8f3351e899d9fad27e3889c86041edcce0077a2887c62e5bbbe08cdb24d79
SHA51213cb8c2e047c2e6dd28d4e6480e2daaa93617b9493b38b264b5a530d741de6be769c341bc9984f389a94524ba014ac56c693d9442b78d4ee0cc61a9f92fefdda