Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:01
Behavioral task
behavioral1
Sample
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe
Resource
win10v2004-20241007-en
General
-
Target
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe
-
Size
2.0MB
-
MD5
63f37a60aae7dc1cc35d06f53a620299
-
SHA1
6a9028c5474842b72b8e45fd641eba8ab5911d6d
-
SHA256
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca
-
SHA512
921a9834c68b70b1f0e2459ff284b1fc751c5b1cfe59c6f6633b74c0cc0345e12db89b4f01c95b69c843085c76bc9c09c7233a81ef38e6df9c9eac70bd2fa0d2
-
SSDEEP
49152:YsThC6TYNwUXz+JR2wjx8+X5gZ+th1aaucQPfM7cSCGDt7WWcrRhajx3l7bQonWF:YsThC6TYNwUXz+JR2wjx8+JgZ+th1aas
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\Windowsdef.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 3 IoCs
Processes:
Windowsdef.exeWindowsdef.exeWindowsdef.exepid Process 2872 Windowsdef.exe 2800 Windowsdef.exe 2776 Windowsdef.exe -
Loads dropped DLL 7 IoCs
Processes:
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exeWindowsdef.exepid Process 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 2872 Windowsdef.exe 2872 Windowsdef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDef = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\Windowsdef.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windowsdef.exedescription pid Process procid_target PID 2872 set thread context of 2800 2872 Windowsdef.exe 34 PID 2872 set thread context of 2776 2872 Windowsdef.exe 35 -
Processes:
resource yara_rule behavioral1/memory/2744-0-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral1/files/0x00070000000186d9-27.dat upx behavioral1/memory/2872-46-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral1/memory/2744-45-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral1/memory/2744-42-0x0000000003980000-0x0000000003B7D000-memory.dmp upx behavioral1/memory/2800-51-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-66-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2872-63-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral1/memory/2776-62-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2776-61-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2776-58-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2800-57-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-56-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-72-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2776-73-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2800-76-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-78-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-81-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-83-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-85-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-88-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-90-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-92-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-95-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2800-97-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exeWindowsdef.execmd.exereg.exereg.execmd.exereg.exeWindowsdef.exeWindowsdef.execmd.execmd.exereg.execmd.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid Process 1512 reg.exe 2484 reg.exe 2504 reg.exe 2272 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
Windowsdef.exeWindowsdef.exedescription pid Process Token: SeDebugPrivilege 2776 Windowsdef.exe Token: 1 2800 Windowsdef.exe Token: SeCreateTokenPrivilege 2800 Windowsdef.exe Token: SeAssignPrimaryTokenPrivilege 2800 Windowsdef.exe Token: SeLockMemoryPrivilege 2800 Windowsdef.exe Token: SeIncreaseQuotaPrivilege 2800 Windowsdef.exe Token: SeMachineAccountPrivilege 2800 Windowsdef.exe Token: SeTcbPrivilege 2800 Windowsdef.exe Token: SeSecurityPrivilege 2800 Windowsdef.exe Token: SeTakeOwnershipPrivilege 2800 Windowsdef.exe Token: SeLoadDriverPrivilege 2800 Windowsdef.exe Token: SeSystemProfilePrivilege 2800 Windowsdef.exe Token: SeSystemtimePrivilege 2800 Windowsdef.exe Token: SeProfSingleProcessPrivilege 2800 Windowsdef.exe Token: SeIncBasePriorityPrivilege 2800 Windowsdef.exe Token: SeCreatePagefilePrivilege 2800 Windowsdef.exe Token: SeCreatePermanentPrivilege 2800 Windowsdef.exe Token: SeBackupPrivilege 2800 Windowsdef.exe Token: SeRestorePrivilege 2800 Windowsdef.exe Token: SeShutdownPrivilege 2800 Windowsdef.exe Token: SeDebugPrivilege 2800 Windowsdef.exe Token: SeAuditPrivilege 2800 Windowsdef.exe Token: SeSystemEnvironmentPrivilege 2800 Windowsdef.exe Token: SeChangeNotifyPrivilege 2800 Windowsdef.exe Token: SeRemoteShutdownPrivilege 2800 Windowsdef.exe Token: SeUndockPrivilege 2800 Windowsdef.exe Token: SeSyncAgentPrivilege 2800 Windowsdef.exe Token: SeEnableDelegationPrivilege 2800 Windowsdef.exe Token: SeManageVolumePrivilege 2800 Windowsdef.exe Token: SeImpersonatePrivilege 2800 Windowsdef.exe Token: SeCreateGlobalPrivilege 2800 Windowsdef.exe Token: 31 2800 Windowsdef.exe Token: 32 2800 Windowsdef.exe Token: 33 2800 Windowsdef.exe Token: 34 2800 Windowsdef.exe Token: 35 2800 Windowsdef.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exeWindowsdef.exeWindowsdef.exeWindowsdef.exepid Process 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 2872 Windowsdef.exe 2800 Windowsdef.exe 2776 Windowsdef.exe 2800 Windowsdef.exe 2800 Windowsdef.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.execmd.exeWindowsdef.exeWindowsdef.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2744 wrote to memory of 2792 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 30 PID 2744 wrote to memory of 2792 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 30 PID 2744 wrote to memory of 2792 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 30 PID 2744 wrote to memory of 2792 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 30 PID 2792 wrote to memory of 2816 2792 cmd.exe 32 PID 2792 wrote to memory of 2816 2792 cmd.exe 32 PID 2792 wrote to memory of 2816 2792 cmd.exe 32 PID 2792 wrote to memory of 2816 2792 cmd.exe 32 PID 2744 wrote to memory of 2872 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 33 PID 2744 wrote to memory of 2872 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 33 PID 2744 wrote to memory of 2872 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 33 PID 2744 wrote to memory of 2872 2744 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 33 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2800 2872 Windowsdef.exe 34 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2872 wrote to memory of 2776 2872 Windowsdef.exe 35 PID 2800 wrote to memory of 2224 2800 Windowsdef.exe 36 PID 2800 wrote to memory of 2224 2800 Windowsdef.exe 36 PID 2800 wrote to memory of 2224 2800 Windowsdef.exe 36 PID 2800 wrote to memory of 2224 2800 Windowsdef.exe 36 PID 2800 wrote to memory of 1864 2800 Windowsdef.exe 37 PID 2800 wrote to memory of 1864 2800 Windowsdef.exe 37 PID 2800 wrote to memory of 1864 2800 Windowsdef.exe 37 PID 2800 wrote to memory of 1864 2800 Windowsdef.exe 37 PID 2800 wrote to memory of 1912 2800 Windowsdef.exe 38 PID 2800 wrote to memory of 1912 2800 Windowsdef.exe 38 PID 2800 wrote to memory of 1912 2800 Windowsdef.exe 38 PID 2800 wrote to memory of 1912 2800 Windowsdef.exe 38 PID 2800 wrote to memory of 2916 2800 Windowsdef.exe 40 PID 2800 wrote to memory of 2916 2800 Windowsdef.exe 40 PID 2800 wrote to memory of 2916 2800 Windowsdef.exe 40 PID 2800 wrote to memory of 2916 2800 Windowsdef.exe 40 PID 1864 wrote to memory of 1512 1864 cmd.exe 43 PID 1864 wrote to memory of 1512 1864 cmd.exe 43 PID 1864 wrote to memory of 1512 1864 cmd.exe 43 PID 1864 wrote to memory of 1512 1864 cmd.exe 43 PID 2224 wrote to memory of 2272 2224 cmd.exe 45 PID 2224 wrote to memory of 2272 2224 cmd.exe 45 PID 2224 wrote to memory of 2272 2224 cmd.exe 45 PID 2224 wrote to memory of 2272 2224 cmd.exe 45 PID 1912 wrote to memory of 2504 1912 cmd.exe 46 PID 1912 wrote to memory of 2504 1912 cmd.exe 46 PID 1912 wrote to memory of 2504 1912 cmd.exe 46 PID 1912 wrote to memory of 2504 1912 cmd.exe 46 PID 2916 wrote to memory of 2484 2916 cmd.exe 47 PID 2916 wrote to memory of 2484 2916 cmd.exe 47 PID 2916 wrote to memory of 2484 2916 cmd.exe 47 PID 2916 wrote to memory of 2484 2916 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe"C:\Users\Admin\AppData\Local\Temp\a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BivMw.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2816
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe"C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exeC:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2484
-
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exeC:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5130a1ad614bfc1851533b7a02e302622
SHA16cd68d0bacb7b24ca9baedc80d90f1bfca3bb92c
SHA2564620f5f49d3f3c3fcb10d7dd83e5fdc0b2efd44ae429ee5a8dc3e64d76e6bc9a
SHA51216b5e40deb2e66287b86bbff11ac986f36b94a5849fbe2ed7124296e95d563ec0e9b00cbd6008c993c383d1610d371177faf5a9cd5da77a34a778e901f9e7a25
-
Filesize
2.0MB
MD5e59a520d81bc6cbc62043831691ed31b
SHA17d1d508d5d110ecb1fd6099810f2a20e513335fe
SHA256882fb21cb6cd5941e13fdfad1559319ffebe5eb29da1afcfcad862645dc7bebb
SHA512a25ca7b32db60f96ee0ae7aa9da31123ed1fb3d9af23dea71ce6a264afa3c4607e56b7dde65ad8a5c3a17fd5a92b164c1f8bd9bc86f068ab06ad4a3ed45aafae