Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-11-2024 05:06
General
-
Target
df3276923c77fda7e3a581b56bf727686608443c0188b54b23781de64e5102c3.exe
-
Size
2.8MB
-
MD5
85fd33013e5c7d0c132e37916f6d4d22
-
SHA1
5b15fc198af5c423859f30a0768e0b6b5c143a44
-
SHA256
df3276923c77fda7e3a581b56bf727686608443c0188b54b23781de64e5102c3
-
SHA512
b9e1aa8aaf429f401cc0c87639b59221b104290930b7e3e06c2a74c8a0d56c72809f2cadce518491f405580f83cc7b9816917139c1cccae8daa3a30a4378b0f8
-
SSDEEP
49152:fsrGlmSlV77N/2zUDwug+TbrgZQly5JJ7nWJSR5BXzzncQPzxwDMuXZ4S:IaN/4UcuXPkcy5jDWWblPVw1Xq
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Luminosity family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 25 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 30 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks system information in the registry 2 TTPs 46 IoCs
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df3276923c77fda7e3a581b56bf727686608443c0188b54b23781de64e5102c3.exe"C:\Users\Admin\AppData\Local\Temp\df3276923c77fda7e3a581b56bf727686608443c0188b54b23781de64e5102c3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Skype" /XML "C:\Users\Admin\AppData\Local\Temp\aOOOOO.xml"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skype.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O16INS~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O16INS~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\O16Install "\O16Install.tmp" /Y3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\files.datfiles.dat -y -pkmsauto4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Configure.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\files\Setup.exe" /configure Uninstall.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe scenario=install productreleaseid="none" platform="x64" cdnbaseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" baseurl="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60" mediatype="CDN" culture="en-us" version="16.0.12527.20470" b="" lcid="1033" updatesenabled="True" productstoremove="AllProducts"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD58b9e5f99f9682b03f26d619511dbfb1a
SHA107226ebb66356ec8623ca52e6a1ecac0a6763303
SHA256592d66d63eb83e6d8726409de46c3e3aedf40bde52ec37a66049a6a79db0c2de
SHA512c2af4469c83fd3b1e19ab7bd6818d56c7ae471aa0e0259259f86e0cff380a45a5d8c89b849bf3ed17d75ee5528c2f72503ce9408bb33ddec27609b60aaf4258d
-
Filesize
471B
MD5a696559440c422a661dfaa6bed9d0935
SHA1ea45c7c5e2b6e97335a8987632f1db348ec80b9e
SHA2569dd56eae844af46d240e6baac4443d5fa3b17d9a7070ccc0c885ae578e5509a0
SHA512647b700db14e27ffb1fe3fe0aa1c495f09cd72865d1032d78c9e6c6ba81690431be46a7d0f2aea21e7a77f3162813e3a147243daf8c607a85fbc61346aa77d68
-
Filesize
412B
MD533d0ed101d7924f546e260e5d654fe91
SHA17ead13011d5f8e7244974ba922384c0ac568caf8
SHA256ec6fd4e24f3b4c1d66802e519b3ddfb35a815e812cb9a11269623d76849495fa
SHA51252c7cd0fccab23cc101bf0ad6e1e983ad3ae00fac99036ac6b5bb84e04fe371b75465273ba6049f154f8008f7c1a18385822f83fdd8154b1dd35143024651200
-
Filesize
420B
MD59a3dc2432a41df2164fb6569c0724736
SHA1465ba7fea32410b619bfacc6ef2d3af803dc3814
SHA256863c7bc7f14d0f8d4bd6de398973e211ad5eb6caf2a49a37ac32bfb8c9c52665
SHA51250066decf33c379e5b7d6099554d84bdd13bf57f8d6d7df87a4eb78f45634808b849d6100cd77648ae6d2df94af365d6c8731306cfa1f392a5da64e291cdfebd
-
Filesize
312B
MD5023e5d9d5fd0491df718ec4ad9bebd12
SHA13e9f29444256c26d683c0f3544bcb568084ab082
SHA2562c219f3587282c91af23370457b964104edb704f83fa547eb06cdb2f82049b74
SHA5127864f718ecfda36465868e6794ff813c7541071f1179d3c2dc35d4beac1ad86d66decdfe2ed2a9d02338ccf07a51ac9dcf530a4fcdc6db78e8b17084327b394d
-
Filesize
13KB
MD54161ad6c0580f02d2744f18237096330
SHA10c4f63b73bf333fd7505ec5cbc086b95216c216d
SHA2567ea4c9e27b91ad103e0581049ef1996cae48797f0ddf884bdd24542126c48f0d
SHA512a5833a5f8d3da8e896538dc78a2b11030022ee4dd73ae7d41ac7ab84b58589e55f6522c5208068533674846eb2c837e25dbb47cd464331bb186415667dca3f1d
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
24KB
MD533eea2792b9fa42f418d9d609f692007
SHA148c3916a14ef2d9609ec4d2887a337b973cf8753
SHA2568f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb
SHA512b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95
-
Filesize
24KB
MD581f7ddbfffbcb29fe5a543b3a1e438b8
SHA1d16b194470fe1404be5d9037fe9bccce3677e58f
SHA256df476fccec8b974e8f602f490220c3674c6c4babf5d8050db2f75e80ce09d076
SHA5129a3b6dab440240cc4ce8c5ab7669cc4d14bdb3013da26760411f099c2a59f6daa42a860eec6c6033378a49355e54a50177b68825d8c912286be49976b22fa101
-
Filesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
Filesize
24KB
MD5bb5122013e9da21ebcd7cf8bbfd442d8
SHA1137dc37b75c41a0edca25bc20dab16729c23d5f5
SHA256fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3
SHA5126582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a
-
Filesize
24KB
MD5fd39de0268d6a6ad214a2bb8e7d04444
SHA18519ccaaf31ba572e6224e052bd555268e7c205d
SHA25637a1920e52980869d54d3d8affc1a370e9cd947813e51cc4fec909c4ad61a827
SHA5126afbdfa73e5a3e3c4e593ceef2e1f3940d2ec7a40900c5abbc8bf686889ff5b4d5193bef682e8932a750a79b735569779298868f586a6e271eba8670c7002f42
-
Filesize
24KB
MD5e1296dfe2cf3638c45f0ccfe213c538e
SHA139b2b2ee19a86f9ea0732dc42368a3fcb25862bf
SHA25645a432329d74d9a88aa6173a3e9bc951b52a0fdc0bf3fa2ebeb6413ef3b627e4
SHA5122e1973bbc0723a1fdf859e584b46716ca68c184c2cf4292cdf341697cf9edee1321f05dd807d070becafcaff6bbf18c1da6410e3176aea012c20bcd8f532de56
-
Filesize
24KB
MD56f60b13b199ae8351a59df13c18109d5
SHA1954250bb3d7ac1e34da3434ad30b835ea4ec67d7
SHA256668b5f3d8e37d0a65dda3e6c9df96c006e6e48640e95378214ded8776fd1030a
SHA51225a730178a3829e31942e447866c5c26b7d43945149c1b2b82c880fe1aa784b7f2c7815d8b888f117e5e702f6e09c3ae46563b5bf349a4905d3b47970121538a
-
Filesize
48KB
MD5650226ffa8a41b1110b6ff5cbfac8706
SHA1ba3951574884e078ed7d773a343ebb262f91c429
SHA256564a9012bb16d0f3cc747ec85375d33bb4adeffc3e2aec2aaa695f63232ae7a1
SHA512d6365c604bc41d517420a3bc1e3a34d1d0d844aa5fa24f11f688f3fdee2fd402881a867c4adab91b9ed4618e5105f8f8c9bc73082b737b7d435056bb59d6b146
-
Filesize
3.0MB
MD51bf0d61f0561abd2282199a6fb7fb8d7
SHA103ae99b9f018cc6e48c6a8a5fd25e751c80f3e0f
SHA256e7c3d4a6f93ef4a551052ec7330a9aba4bebe9923acc4624b6b52a5c6f8228aa
SHA5129e245bc03a7d4da6eb8db75c13d364b7af0df20b438a585ff6ef32ca6892227d08bf70c365bbc8bc1a4252b3745203dea48cb815df60de10ab52e74335e5f56d
-
Filesize
366B
MD5ac6be84084e31dbb0e08d188b6c86ec8
SHA15c17b1cdefb781993c6f80f2ed292a56703a239b
SHA2561879f7de537c2aa70292c61ebef9c6477d36e25b2e6a639e318b159e0a22b0fc
SHA512a6eb09c3020444d50a3b00d0f7de487e9536f20d83159d23cbc121adfdd2b041199b7d94e4c00cda2fe9e3d0c0cdd05af987855c8b19f0b2985e322c9838ac36
-
Filesize
273B
MD52b32cc89dfc92f94e0be8ece26d9367c
SHA152e7d48896ed6b0ef37106da3813c39d378dc45a
SHA256150fb7c32d4aa311da3755c35cc936b6cf7da6b431c706e858f6522f9b87b99a
SHA5124910d04da1d3d001b81dff2c929e3ca0fc99852cfae1b754d1d8d4ab2ef0d7ca7ac0894ffffea8196bedc9825caaaf13f28fec019a41a456c6a6c7fcc6b3cb66
-
Filesize
358B
MD551f27f2bffcb42875624a4cea1bcb97d
SHA1da2c55bf69add0b937e5ba4dfbe5bbfcdad4f518
SHA256ec81a138618b400fcd3c5db8ac263b989315472dd5cda8cf0b64f297ee005795
SHA5123c455d1983a45246e03db2001e5336b6e671fb542f1406c9a9051f56dc1f646d6c25242edb0086738dcd0a16aaf42336512a9d63268823004ed08dac3b36ed9b
-
Filesize
59B
MD5364f86f97324ea82fe0d142cd01cf6dd
SHA1fc2a45da2ede0c018ab8e46044e6a25765c27d99
SHA25609d5b42140bab13165ba97fbd0e77792304c3c93555be02c3dce21a7a69c66dd
SHA5129b0a0944535e25c944e01bed1674efff119505292b176287c0dad3db70ffc4244cff21cccfd1fd94b09dd6d5f84221930b66b210101e482cc4bb5df3311a5fdf
-
Filesize
1.9MB
MD568cb3a8ee709d7aa9ebd714883d4169b
SHA15b391ee0fb1621b61b3d637c5ae83e39a78d2a7a
SHA2568985491ef0aa360b0e85192e5e1b720bf5e2262c6f344a8a84da80591fb07305
SHA5124ef7e87025193316e5b5d0cc1cf898849cb44db405a68128948ae8dd1e755e1494805c7f8804e06d6d8619dcdfef27266157a5a5f9401f478bbce31c803c9bbc
-
Filesize
2.8MB
MD57999e9a1000078ae7a5e71609732cba8
SHA134b009d8dd8a25a7103907ba6f058c8f76589e1f
SHA256a4f073964153e0f99d2c3c2b01f19322f84a17c5f3834cebb3112f116149ae35
SHA512dd03f0d1436751857bf6e18c8e36b48a14c41ab220be381be836aedd8ffb3a7dc18793c3bb0323beb4662963b1ff3d58c462b97c170b9e59c19bc8f0d4cfc2e7
-
Filesize
339KB
MD58bf4e9352ba53700635f4d2134011419
SHA11e5d2560327b6c2dbf5c37e935f4288aeb26cb81
SHA256d0cb14db634dbe2a3395a59af13942e5ad5437eb3da7c78eb4e6847035a06a29
SHA5126e19a6951be4eec5db0279129ad9ea6cbcf5357a5f8ce8e06dbd57e985b9d384c3ed58783729378d8f519ede63e31cf69d0fb0d23a2113f74ae0e7c8fa69a736
-
Filesize
11KB
MD56419f779d1d7475f3ccd42eb1986aa24
SHA1d8ed16627517476e7ec30a47985e42c36fbceed6
SHA256a2dee4bdbece3f151aaa008d9d612f9d0b373c9f57d944e3eae88aabe393420a
SHA512af7a5dbb482c3d372a4848cb742327811b0b7d63c6fbff0e7f32eeefe88d5af25459603800529ab0fa280f01ba45545b25620ce5f21fa75dc54aec03c07d4135
-
Filesize
106B
MD58874e6cd3845de0b50a810e2c53a62cf
SHA15d16aa2bc1ac0bdc650226e6a7799f0a54c29a07
SHA25640c4d873a165f185e2011480370b1f630f3eaffb9f1295be55e5c83c44e6e364
SHA512e7480c113477e4a88da3fad4757b8eeca8abae4d30bb070d344b47d1d1f43f1e879218adbdcc6bca9476bd7c71f0af57202ada6470bcf7a5dd3d5c8c989eeb32
-
Filesize
25KB
MD5162d1dc406cf79ebdd18416cf7be516c
SHA173c9a09ffb356488dd7b95030ea09f8b5cce0d9d
SHA25630fb8540444c8a47c9198e3acbbee744fa013211f454053810133fb49ebbe930
SHA512f33b093e4a7add7693731efc077c22a5856ae20707455239e9381dcdb9b2aba42bfb033864541d7d25cc28e5521d382a15266535c60d20c9ca7790f3941a5725
-
Filesize
1KB
MD58ca72acc1c9499dd0736b628ffc20853
SHA13f128c7ff5095c7ab0c57690896cde34876e438a
SHA25693ce267b1bdd0acb26a50bdb318897f87e22510f6b1bdc93d47bce9cd8b1ca59
SHA512133c43178b170412494fcd071bc0c6602dd8e7fc7d129abfd319d66bac4e7ff536010f810cb5013d6671ae62a5e3eb84f504f8e1d04ae723831a5dc19a2a649d
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
280KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
280KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB