Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
rdmr_3.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
rdmr_3.exe
Resource
win10-en-20211014
General
-
Target
rdmr_3.exe
-
Size
1.8MB
-
MD5
00c227b93837e5e5f7f24509459a0216
-
SHA1
8148f3df22b82dbdf664ff5e343bb053f01830b7
-
SHA256
0d93bc5a94ff11a3221e186b6fe8ee28aed9f2f1db2413e6562f43bc7f23786f
-
SHA512
574b1fdc7505aa597b078828d7559982e4b506c49466f2600b0dfcf4ba3584581df35e5c7baa91ddda97052c6e34d146d8d1e0457269f18ac7799deb9ef069db
Malware Config
Extracted
C:\Read Me.TXT
aloop@protonmail.com
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rdmr_3.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CompleteLimit.tiff rdmr_3.exe File created C:\Users\Admin\Pictures\CompleteLimit.tiff.redeem rdmr_3.exe File created C:\Users\Admin\Pictures\EnterGrant.png.redeem rdmr_3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 13 IoCs
Processes:
rdmr_3.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rdmr_3.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
rdmr_3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" rdmr_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 32 XMR.\n-2. Contact aloop@protonmail.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNzaJFJgPWKxTXBO+KIEgZCxcMhSY8ZVM6JZj4ANMtr+FLRCDar\nwRC6/9thIhlrgN3Rn0pG3w/nNv/+L40n6DPpubWLqwuFAcrpoq\nunujNCGmdwamZUsPhV1l7HMLASXTx27tGyGkJfXoN2Y1/8gQ8W\nHOQ+MIyCzKU0dDkN/ifGmw6+GZrk7KOEDj0nlWtbLWHekZLs9c\nFu0bh3NskwnwQzgzvh8Mk6Bngi+HXhp9IVSy13qlG+Vxmb3Xqa\n91nRuf5ehsXEF756G5vC1khfqxYCoTidhQarEueQkNzZwjyKyo\nLkL+KxlqhDaeOq82sypzuI0Y7o5m0pY9194NM1z1wxHhWovGeL\n6sNtrk9MBz2o3G9UrDn1H3LBrvkW2Fd04wVD1x+xkoiv2UBxB5\nIs+OnmXUmGD6Mq1TqsVoljGlVV3PgOSPfT8nNNyEuHdEru+B7a\ndvjsq48/2p/PIR2zRhcHZVsE7WmiU1IP0ErWVq2B+wBZJjkM0F\nSkSIefMv9pV+tixsrD+FlmuDCAB12VTipcEkuRLiT8GAWAyAEF\nd11MAmomJc0aNfRp2230Ki6iISyihGntK2u84sQaDQXQfyO+RU\nTdonPgGGqY25r95GLV3WABiSPmDJCbIJ3IjTOgbQLVWCf6eWoz\nBhMHI2RASREC0eH4t+v+E2O7ExENzaBYS8Pw==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." rdmr_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" rdmr_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 32 XMR.\n-2. Contact aloop@protonmail.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNzaJFJgPWKxTXBO+KIEgZCxcMhSY8ZVM6JZj4ANMtr+FLRCDar\nwRC6/9thIhlrgN3Rn0pG3w/nNv/+L40n6DPpubWLqwuFAcrpoq\nunujNCGmdwamZUsPhV1l7HMLASXTx27tGyGkJfXoN2Y1/8gQ8W\nHOQ+MIyCzKU0dDkN/ifGmw6+GZrk7KOEDj0nlWtbLWHekZLs9c\nFu0bh3NskwnwQzgzvh8Mk6Bngi+HXhp9IVSy13qlG+Vxmb3Xqa\n91nRuf5ehsXEF756G5vC1khfqxYCoTidhQarEueQkNzZwjyKyo\nLkL+KxlqhDaeOq82sypzuI0Y7o5m0pY9194NM1z1wxHhWovGeL\n6sNtrk9MBz2o3G9UrDn1H3LBrvkW2Fd04wVD1x+xkoiv2UBxB5\nIs+OnmXUmGD6Mq1TqsVoljGlVV3PgOSPfT8nNNyEuHdEru+B7a\ndvjsq48/2p/PIR2zRhcHZVsE7WmiU1IP0ErWVq2B+wBZJjkM0F\nSkSIefMv9pV+tixsrD+FlmuDCAB12VTipcEkuRLiT8GAWAyAEF\nd11MAmomJc0aNfRp2230Ki6iISyihGntK2u84sQaDQXQfyO+RU\nTdonPgGGqY25r95GLV3WABiSPmDJCbIJ3IjTOgbQLVWCf6eWoz\nBhMHI2RASREC0eH4t+v+E2O7ExENzaBYS8Pw==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." rdmr_3.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 404 vssadmin.exe -
Modifies registry class 7 IoCs
Processes:
cmd.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command\ = "\"C:\\Windows\\system32\\cmd.exe\" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file." cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem\ = "redeemer" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exerdmr_3.exedescription pid process Token: SeBackupPrivilege 3172 vssvc.exe Token: SeRestorePrivilege 3172 vssvc.exe Token: SeAuditPrivilege 3172 vssvc.exe Token: SeSecurityPrivilege 1048 wevtutil.exe Token: SeBackupPrivilege 1048 wevtutil.exe Token: SeSecurityPrivilege 2856 wevtutil.exe Token: SeBackupPrivilege 2856 wevtutil.exe Token: SeSecurityPrivilege 2500 wevtutil.exe Token: SeBackupPrivilege 2500 wevtutil.exe Token: SeSecurityPrivilege 1072 wevtutil.exe Token: SeBackupPrivilege 1072 wevtutil.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe Token: SeTakeOwnershipPrivilege 2680 rdmr_3.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
rdmr_3.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2680 wrote to memory of 368 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 368 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 368 2680 rdmr_3.exe cmd.exe PID 368 wrote to memory of 404 368 cmd.exe vssadmin.exe PID 368 wrote to memory of 404 368 cmd.exe vssadmin.exe PID 368 wrote to memory of 404 368 cmd.exe vssadmin.exe PID 2680 wrote to memory of 3348 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 3348 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 3348 2680 rdmr_3.exe cmd.exe PID 3348 wrote to memory of 1048 3348 cmd.exe wevtutil.exe PID 3348 wrote to memory of 1048 3348 cmd.exe wevtutil.exe PID 3348 wrote to memory of 1048 3348 cmd.exe wevtutil.exe PID 2680 wrote to memory of 2160 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 2160 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 2160 2680 rdmr_3.exe cmd.exe PID 2160 wrote to memory of 2856 2160 cmd.exe wevtutil.exe PID 2160 wrote to memory of 2856 2160 cmd.exe wevtutil.exe PID 2160 wrote to memory of 2856 2160 cmd.exe wevtutil.exe PID 2680 wrote to memory of 2648 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 2648 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 2648 2680 rdmr_3.exe cmd.exe PID 2648 wrote to memory of 2500 2648 cmd.exe wevtutil.exe PID 2648 wrote to memory of 2500 2648 cmd.exe wevtutil.exe PID 2648 wrote to memory of 2500 2648 cmd.exe wevtutil.exe PID 2680 wrote to memory of 2156 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 2156 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 2156 2680 rdmr_3.exe cmd.exe PID 2156 wrote to memory of 1072 2156 cmd.exe wevtutil.exe PID 2156 wrote to memory of 1072 2156 cmd.exe wevtutil.exe PID 2156 wrote to memory of 1072 2156 cmd.exe wevtutil.exe PID 2680 wrote to memory of 1964 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 1964 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 1964 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 696 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 696 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 696 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 720 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 720 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 720 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 372 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 372 2680 rdmr_3.exe cmd.exe PID 2680 wrote to memory of 372 2680 rdmr_3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe"C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Application2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Security2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Setup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log System2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c assoc .redeem=redeemer2⤵
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-115-0x0000000000000000-mapping.dmp
-
memory/372-128-0x0000000000000000-mapping.dmp
-
memory/404-116-0x0000000000000000-mapping.dmp
-
memory/696-126-0x0000000000000000-mapping.dmp
-
memory/720-127-0x0000000000000000-mapping.dmp
-
memory/1048-118-0x0000000000000000-mapping.dmp
-
memory/1072-124-0x0000000000000000-mapping.dmp
-
memory/1964-125-0x0000000000000000-mapping.dmp
-
memory/2156-123-0x0000000000000000-mapping.dmp
-
memory/2160-119-0x0000000000000000-mapping.dmp
-
memory/2500-122-0x0000000000000000-mapping.dmp
-
memory/2648-121-0x0000000000000000-mapping.dmp
-
memory/2856-120-0x0000000000000000-mapping.dmp
-
memory/3348-117-0x0000000000000000-mapping.dmp