Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
e8e5c9e651f358d8c24c8f6757f164ed
-
SHA1
74296bf4fceba6d906055c4fedc51b75f4f99f0d
-
SHA256
dcff421c7cd4cc77eda4ce513f23ef47cea8784979375ed62a3a78672c590138
-
SHA512
8605b1b3ecb56450fe1b57aa6a62fc9a18045025b4a1cc7094216da9e86b8c8b19d3f243a8e6a696ec502c80f2837b7350c0f5e0da66014a4d48f0e5784e6c9d
-
SSDEEP
49152:vYb/OBImCOQewFay6GKEIhfb0wyI9Ko2P4RP:wbCImCOQewFay6GQhfb0FI9KXk
Malware Config
Extracted
darkcomet
Novo
tutoriais157.no-ip.org:1604
DC_MUTEX-VRFY1RF
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
MlBzybfvaNEy
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 4580 H3R0 INJECTOR.EXE 5100 msdcsc.exe 2800 msdcsc.exe 1780 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1644 set thread context of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 2308 set thread context of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 5100 set thread context of 2800 5100 msdcsc.exe 86 PID 2800 set thread context of 1780 2800 msdcsc.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language H3R0 INJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE 4580 H3R0 INJECTOR.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSecurityPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSystemtimePrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeBackupPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeRestorePrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeShutdownPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeDebugPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeUndockPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeManageVolumePrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeImpersonatePrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: 33 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: 34 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: 35 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: 36 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1780 msdcsc.exe Token: SeSecurityPrivilege 1780 msdcsc.exe Token: SeTakeOwnershipPrivilege 1780 msdcsc.exe Token: SeLoadDriverPrivilege 1780 msdcsc.exe Token: SeSystemProfilePrivilege 1780 msdcsc.exe Token: SeSystemtimePrivilege 1780 msdcsc.exe Token: SeProfSingleProcessPrivilege 1780 msdcsc.exe Token: SeIncBasePriorityPrivilege 1780 msdcsc.exe Token: SeCreatePagefilePrivilege 1780 msdcsc.exe Token: SeBackupPrivilege 1780 msdcsc.exe Token: SeRestorePrivilege 1780 msdcsc.exe Token: SeShutdownPrivilege 1780 msdcsc.exe Token: SeDebugPrivilege 1780 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1780 msdcsc.exe Token: SeChangeNotifyPrivilege 1780 msdcsc.exe Token: SeRemoteShutdownPrivilege 1780 msdcsc.exe Token: SeUndockPrivilege 1780 msdcsc.exe Token: SeManageVolumePrivilege 1780 msdcsc.exe Token: SeImpersonatePrivilege 1780 msdcsc.exe Token: SeCreateGlobalPrivilege 1780 msdcsc.exe Token: 33 1780 msdcsc.exe Token: 34 1780 msdcsc.exe Token: 35 1780 msdcsc.exe Token: 36 1780 msdcsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 5100 msdcsc.exe 2800 msdcsc.exe 1780 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 1644 wrote to memory of 2308 1644 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 82 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2308 wrote to memory of 2752 2308 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 83 PID 2752 wrote to memory of 4580 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 84 PID 2752 wrote to memory of 4580 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 84 PID 2752 wrote to memory of 4580 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 84 PID 2752 wrote to memory of 5100 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 85 PID 2752 wrote to memory of 5100 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 85 PID 2752 wrote to memory of 5100 2752 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 85 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 5100 wrote to memory of 2800 5100 msdcsc.exe 86 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 2800 wrote to memory of 1780 2800 msdcsc.exe 87 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88 PID 1780 wrote to memory of 1996 1780 msdcsc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\H3R0 INJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\H3R0 INJECTOR.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4580
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\msdcsc.exe6⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- System Location Discovery: System Language Discovery
PID:1996
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54274aa3fb911f5621f34595e58e50a7b
SHA1d029a0e95a96be0571ceff311c562e52eb878c28
SHA2565a109456ccb1a4435cf6664086f3312820550af2687fc2192712323f13f8f7f1
SHA512f7ddb71f80a2e52e1d6068758a1fd220e023889245d1df981511b24a60bcde2d7800ad395be099232693f618a07a800d5868b582078242d89a9b59329847c312
-
Filesize
2.2MB
MD5e8e5c9e651f358d8c24c8f6757f164ed
SHA174296bf4fceba6d906055c4fedc51b75f4f99f0d
SHA256dcff421c7cd4cc77eda4ce513f23ef47cea8784979375ed62a3a78672c590138
SHA5128605b1b3ecb56450fe1b57aa6a62fc9a18045025b4a1cc7094216da9e86b8c8b19d3f243a8e6a696ec502c80f2837b7350c0f5e0da66014a4d48f0e5784e6c9d