Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 09:43
Static task
static1
Behavioral task
behavioral1
Sample
307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe
Resource
win10v2004-20240802-en
General
-
Target
307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe
-
Size
936KB
-
MD5
4f66f2d3347a0466104e506a6d71f1b0
-
SHA1
63d77b6043bfcfa477d743a30c3476997f6dcf09
-
SHA256
307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ce
-
SHA512
10c7a1e0477830cdcc40a385a40ef884e2bb9ab3e2d1ecebee1e9760d9615d035fc2b55d3b9c9c81b3aeddedbb1ab0c869a00d278653ca59344059feea3bc660
-
SSDEEP
12288:9MdXQ94Gh9tkeWMsMQ3WmvekJTaS9ynMpx5hum+yw0DMdXQ94Gh9tkeWMsMQ3Wm9:af7XHuPf7XHu
Malware Config
Extracted
njrat
0.7d
HacKed
22.ip.gl.ply.gg:57731
32ce84f74d25f1e71aac67667a2c8d24
-
reg_key
32ce84f74d25f1e71aac67667a2c8d24
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts LocalfRDeAalfWC.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1480 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe Dllhost.exe -
Executes dropped EXE 8 IoCs
pid Process 2260 LocalfRDeAalfWC.exe 2648 %tmp%.exe 2744 System.exe 1968 System.exe 2924 System.exe 2660 System.exe 2160 99796.exe 1348 Dllhost.exe -
Loads dropped DLL 6 IoCs
pid Process 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2648 %tmp%.exe 2160 99796.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32 .exe" LocalfRDeAalfWC.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\%tmp%.exe = "C:\\Program Files (x86)\\%tmp%.exe" %tmp%.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2648 set thread context of 3048 2648 %tmp%.exe 50 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\%tmp%.exe %tmp%.exe File created C:\Program Files (x86)\%tmp%.exe %tmp%.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rEG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LocalfRDeAalfWC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language %tmp%.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99796.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 664 rEG.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2620 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2260 LocalfRDeAalfWC.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe 2648 %tmp%.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2620 vlc.exe 2456 dw20.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2260 LocalfRDeAalfWC.exe Token: SeDebugPrivilege 2648 %tmp%.exe Token: SeDebugPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe Token: 33 1348 Dllhost.exe Token: SeIncBasePriorityPrivilege 1348 Dllhost.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe 2620 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2620 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2260 2012 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe 30 PID 2012 wrote to memory of 2260 2012 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe 30 PID 2012 wrote to memory of 2260 2012 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe 30 PID 2012 wrote to memory of 2260 2012 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe 30 PID 2260 wrote to memory of 2988 2260 LocalfRDeAalfWC.exe 32 PID 2260 wrote to memory of 2988 2260 LocalfRDeAalfWC.exe 32 PID 2260 wrote to memory of 2988 2260 LocalfRDeAalfWC.exe 32 PID 2260 wrote to memory of 2988 2260 LocalfRDeAalfWC.exe 32 PID 2260 wrote to memory of 2924 2260 LocalfRDeAalfWC.exe 34 PID 2260 wrote to memory of 2924 2260 LocalfRDeAalfWC.exe 34 PID 2260 wrote to memory of 2924 2260 LocalfRDeAalfWC.exe 34 PID 2260 wrote to memory of 2924 2260 LocalfRDeAalfWC.exe 34 PID 2260 wrote to memory of 2744 2260 LocalfRDeAalfWC.exe 35 PID 2260 wrote to memory of 2744 2260 LocalfRDeAalfWC.exe 35 PID 2260 wrote to memory of 2744 2260 LocalfRDeAalfWC.exe 35 PID 2260 wrote to memory of 2744 2260 LocalfRDeAalfWC.exe 35 PID 2260 wrote to memory of 2660 2260 LocalfRDeAalfWC.exe 36 PID 2260 wrote to memory of 2660 2260 LocalfRDeAalfWC.exe 36 PID 2260 wrote to memory of 2660 2260 LocalfRDeAalfWC.exe 36 PID 2260 wrote to memory of 2660 2260 LocalfRDeAalfWC.exe 36 PID 2260 wrote to memory of 1968 2260 LocalfRDeAalfWC.exe 37 PID 2260 wrote to memory of 1968 2260 LocalfRDeAalfWC.exe 37 PID 2260 wrote to memory of 1968 2260 LocalfRDeAalfWC.exe 37 PID 2260 wrote to memory of 1968 2260 LocalfRDeAalfWC.exe 37 PID 2260 wrote to memory of 2620 2260 LocalfRDeAalfWC.exe 38 PID 2260 wrote to memory of 2620 2260 LocalfRDeAalfWC.exe 38 PID 2260 wrote to memory of 2620 2260 LocalfRDeAalfWC.exe 38 PID 2260 wrote to memory of 2620 2260 LocalfRDeAalfWC.exe 38 PID 2260 wrote to memory of 2648 2260 LocalfRDeAalfWC.exe 39 PID 2260 wrote to memory of 2648 2260 LocalfRDeAalfWC.exe 39 PID 2260 wrote to memory of 2648 2260 LocalfRDeAalfWC.exe 39 PID 2260 wrote to memory of 2648 2260 LocalfRDeAalfWC.exe 39 PID 2260 wrote to memory of 1956 2260 LocalfRDeAalfWC.exe 40 PID 2260 wrote to memory of 1956 2260 LocalfRDeAalfWC.exe 40 PID 2260 wrote to memory of 1956 2260 LocalfRDeAalfWC.exe 40 PID 2260 wrote to memory of 1956 2260 LocalfRDeAalfWC.exe 40 PID 2988 wrote to memory of 2180 2988 cmd.exe 41 PID 2988 wrote to memory of 2180 2988 cmd.exe 41 PID 2988 wrote to memory of 2180 2988 cmd.exe 41 PID 2988 wrote to memory of 2180 2988 cmd.exe 41 PID 2260 wrote to memory of 664 2260 LocalfRDeAalfWC.exe 42 PID 2260 wrote to memory of 664 2260 LocalfRDeAalfWC.exe 42 PID 2260 wrote to memory of 664 2260 LocalfRDeAalfWC.exe 42 PID 2260 wrote to memory of 664 2260 LocalfRDeAalfWC.exe 42 PID 2180 wrote to memory of 864 2180 wscript.exe 45 PID 2180 wrote to memory of 864 2180 wscript.exe 45 PID 2180 wrote to memory of 864 2180 wscript.exe 45 PID 2180 wrote to memory of 864 2180 wscript.exe 45 PID 2648 wrote to memory of 1812 2648 %tmp%.exe 47 PID 2648 wrote to memory of 1812 2648 %tmp%.exe 47 PID 2648 wrote to memory of 1812 2648 %tmp%.exe 47 PID 2648 wrote to memory of 1812 2648 %tmp%.exe 47 PID 1812 wrote to memory of 2644 1812 csc.exe 49 PID 1812 wrote to memory of 2644 1812 csc.exe 49 PID 1812 wrote to memory of 2644 1812 csc.exe 49 PID 1812 wrote to memory of 2644 1812 csc.exe 49 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50 PID 2648 wrote to memory of 3048 2648 %tmp%.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\LocalfRDeAalfWC.exe"C:\Users\Admin\AppData\LocalfRDeAalfWC.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\java.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:864
-
-
-
-
C:\Windows\Temp\System.exeC:\Windows\Temp\System.exe3⤵
- Executes dropped EXE
PID:2924
-
-
C:\Windows\Temp\System.exeC:\Windows\Temp\System.exe3⤵
- Executes dropped EXE
PID:2744
-
-
C:\Windows\Temp\System.exeC:\Windows\Temp\System.exe3⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\Temp\System.exeC:\Windows\Temp\System.exe3⤵
- Executes dropped EXE
PID:1968
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Default.mp3"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytcrz3tw.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB74.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB73.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4125⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
-
C:\Users\Admin\AppData\Roaming\99796.exe"C:\Users\Admin\AppData\Roaming\99796.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2160 -
C:\ProgramData\Dllhost.exe"C:\ProgramData\Dllhost.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\Dllhost.exe" "Dllhost.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1480
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 11164⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2456
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\SysWOW64\rEG.exerEG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:664
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD56b97067ea717e5c72685a38a15109ecc
SHA10ec286ff24307650bcd1881106980d420c646610
SHA256b62c4ffb4b0622b0dc2fcf684b86863a54636c3af773e71a036c3064075eaf17
SHA51280613f0da03c01d5d35dedb4617e811a7b2e72032eeedc5ccdb2b8f6c6408ec9f66ad3f9a10f6e357e4ec85c9bb8374c3d64874a5d9699e6def23cdc9748fb7d
-
Filesize
27KB
MD5071720d5f39c31b27711d70b09ef9b3b
SHA11fe68bf69c8418454a0d91ad321b99fe9065a1db
SHA256f8bc97b18db5452e5be748390037c16e606aaf0f61f0896531528d0d5fd08cc7
SHA5127db5e2039e075916874b071f30aef7c29133182b9bdbc2e3cb9c2296db8a67f2cfd4e49701d85126b6b58d59bd6198f2ce6c5f4eec382209a6576c628d354014
-
Filesize
1KB
MD5bcaffd1da5b1352aca0c3fa2b01d5abc
SHA1a694bc77880138dbc9d0ccbadfb1696bd50fb876
SHA2560e47d92552dd4ef347fed4486eec8951aa68218c467e4c7800fc984119402635
SHA5122a54756dd19ee26a7a6d47cfcecc04178bfb7591b51d77c1443542591659dcf61f75e1fa589266e9dfd6c0832f4d7c171b1da98e020b5bb51b614ee30fd0b54b
-
Filesize
5KB
MD5d42ba9acb411a99763f94ab5ab4cd2a7
SHA10562ac230a8ccc6f9b8d96e30936d552d1f55074
SHA25613e1d6138a9ea7d7835dcf9837af9dba34a3e24845c7bc68fc217c9b7fb6c4cd
SHA512bcb56cd9c9266afb997b773afeb3dd59b5aa132ec58112424a28204df8adf5512225143d80d3bc4e1bf50b28dc9fa6b72b04d3d07f56a03b61a4dc43c6cf924c
-
Filesize
461KB
MD597ae997014319227a2a3b08033fd81df
SHA195b7acd68273a81951ed13890ac6efd746258c42
SHA256ef41566edb201f685cfedd097970f9b1edb4832c2dabb6309a79f0fb34ee0402
SHA512103931d8c70e3d9a3f1757b81428b7313c7cda178f3d19ffb4c1ee169e3c642156468ea8d9a4c33802bc0afc0408bc81a6d248789c023565f31b8dd7f45c0fd1
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
53B
MD51896de26a454df8628034ca3e0649905
SHA176b98d95a85d043539706b89194c46cf14464abe
SHA256d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208
SHA512ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2
-
Filesize
160B
MD5e8170b6565dfb34d114cfa398ba77296
SHA19079335b0ec9a509b7344cb98713fc0b52afa36e
SHA25676ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b
SHA5121b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d
-
Filesize
652B
MD5bc993608fc3311e14e5b0312c40b381d
SHA1ea46df9af696aadf52bbdc85a08309418dbbc12c
SHA256ca44d7e9aab41470db1371038acc26b6e4834e88247646e0385f06420838d1a2
SHA51256dda317f8695ff0f5518d6a02dc1b1301f9e5642383bfd2ca6f948846f086ba0a35dbcb1da70b98f51180ada0d272111416c9b1324844f3ad4f5222cfbb8b75
-
Filesize
4KB
MD5b63430207638c1a36b9b27002e0da3da
SHA154356082f32c71498c4ac5f85f4588e0d1c57ad0
SHA256fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193
SHA51229ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737
-
Filesize
206B
MD59fc2ce2d58c9877584082a1930e27fbc
SHA17723a60b5bde8f87e7af72ad6de738cc12c3b16b
SHA256dde5d9575bbe8c6d9083048e31600a1349a1a53e7d05df40b71f4ba641205887
SHA512ef724f1b5b7924a269d308903bd623f0589da4a6d825546b5d572d994ac4e414bc21475b907209655b4167fa9e807bcea98b8e7097f221ebbeb560b63f4df5c7
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98