Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2023, 06:26
Behavioral task
behavioral1
Sample
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe
Resource
win10v2004-20230915-en
General
-
Target
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe
-
Size
2.9MB
-
MD5
a1e8853219afd1191f1d832e4a304ec2
-
SHA1
cc0769fd386f865c9c0a81c4c2c8dcd90309bdc7
-
SHA256
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d
-
SHA512
ebe1836029f8a4c49294f2e05fcc050d5895ef0a356d65006337abea89fc7d91d1a24f9ab2bb4ad3b4f716b892a36f8dccafe2575ca8f5b95fc2a2271c480544
-
SSDEEP
49152:WTGkQf5QZuTtS0rQMYOQ+q8CEETG4QiTGHQ79KFeMD:WKkcWsM0r1QnbK4XKHg0Feq
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\nPrhtdP.sys netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe -
Executes dropped EXE 2 IoCs
pid Process 1456 b415c158 3400 netsh.exe -
resource yara_rule behavioral2/memory/432-0-0x0000000000AB0000-0x0000000000B39000-memory.dmp upx behavioral2/files/0x00060000000231c1-2.dat upx behavioral2/files/0x00060000000231c1-3.dat upx behavioral2/memory/1456-4-0x0000000000D90000-0x0000000000E19000-memory.dmp upx behavioral2/memory/432-27-0x0000000000AB0000-0x0000000000B39000-memory.dmp upx behavioral2/memory/1456-30-0x0000000000D90000-0x0000000000E19000-memory.dmp upx behavioral2/memory/432-37-0x0000000000AB0000-0x0000000000B39000-memory.dmp upx behavioral2/memory/1456-67-0x0000000000D90000-0x0000000000E19000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A b415c158 File created C:\Windows\SysWOW64\b415c158 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 b415c158 File created C:\Windows\system32\ \Windows\System32\Dl3sGs.sys netsh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E b415c158 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 b415c158 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\18ed60 b415c158 File created C:\Windows\mNPo5io8.sys netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 netsh.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName netsh.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 4768 timeout.exe 3920 timeout.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\New Windows\Allow netsh.exe Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com netsh.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing b415c158 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" b415c158 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" b415c158 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" b415c158 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" b415c158 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" b415c158 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix b415c158 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ b415c158 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" b415c158 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1456 b415c158 1456 b415c158 1456 b415c158 1456 b415c158 1456 b415c158 1456 b415c158 1456 b415c158 1456 b415c158 1456 b415c158 1456 b415c158 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 1456 b415c158 1456 b415c158 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3144 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 432 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe Token: SeTcbPrivilege 432 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe Token: SeDebugPrivilege 1456 b415c158 Token: SeTcbPrivilege 1456 b415c158 Token: SeDebugPrivilege 1456 b415c158 Token: SeDebugPrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeDebugPrivilege 3144 Explorer.EXE Token: SeIncBasePriorityPrivilege 432 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe Token: SeDebugPrivilege 1456 b415c158 Token: SeDebugPrivilege 3400 netsh.exe Token: SeDebugPrivilege 3400 netsh.exe Token: SeDebugPrivilege 3400 netsh.exe Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeIncBasePriorityPrivilege 1456 b415c158 Token: SeDebugPrivilege 3400 netsh.exe Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeManageVolumePrivilege 5000 svchost.exe Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe 3400 netsh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3400 netsh.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3144 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1456 wrote to memory of 3144 1456 b415c158 54 PID 1456 wrote to memory of 3144 1456 b415c158 54 PID 1456 wrote to memory of 3144 1456 b415c158 54 PID 1456 wrote to memory of 3144 1456 b415c158 54 PID 1456 wrote to memory of 3144 1456 b415c158 54 PID 3144 wrote to memory of 3400 3144 Explorer.EXE 88 PID 3144 wrote to memory of 3400 3144 Explorer.EXE 88 PID 3144 wrote to memory of 3400 3144 Explorer.EXE 88 PID 3144 wrote to memory of 3400 3144 Explorer.EXE 88 PID 3144 wrote to memory of 3400 3144 Explorer.EXE 88 PID 3144 wrote to memory of 3400 3144 Explorer.EXE 88 PID 3144 wrote to memory of 3400 3144 Explorer.EXE 88 PID 1456 wrote to memory of 612 1456 b415c158 6 PID 1456 wrote to memory of 612 1456 b415c158 6 PID 1456 wrote to memory of 612 1456 b415c158 6 PID 1456 wrote to memory of 612 1456 b415c158 6 PID 1456 wrote to memory of 612 1456 b415c158 6 PID 432 wrote to memory of 4136 432 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe 90 PID 432 wrote to memory of 4136 432 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe 90 PID 432 wrote to memory of 4136 432 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe 90 PID 4136 wrote to memory of 4768 4136 cmd.exe 92 PID 4136 wrote to memory of 4768 4136 cmd.exe 92 PID 4136 wrote to memory of 4768 4136 cmd.exe 92 PID 1456 wrote to memory of 3140 1456 b415c158 94 PID 1456 wrote to memory of 3140 1456 b415c158 94 PID 1456 wrote to memory of 3140 1456 b415c158 94 PID 3140 wrote to memory of 3920 3140 cmd.exe 96 PID 3140 wrote to memory of 3920 3140 cmd.exe 96 PID 3140 wrote to memory of 3920 3140 cmd.exe 96 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54 PID 3400 wrote to memory of 3144 3400 netsh.exe 54
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe"C:\Users\Admin\AppData\Local\Temp\cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:4768
-
-
-
-
C:\ProgramData\netsh.exe"C:\ProgramData\netsh.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
-
-
C:\Windows\Syswow64\b415c158C:\Windows\Syswow64\b415c1581⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\b415c158"2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:3920
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD56f1e6dd688818bc3d1391d0cc7d597eb
SHA19184e64c36629a1dcef084e19cc3e3bef78f2d7b
SHA2566b691b06fa865f52c9484ef4f10e2e02ed6d7c3a3f474b8b138a33af7258b2a9
SHA51292bb25170b96980ca688de629220d0321ba3601f6396456be462e432c5ce958d29dd52f728a7fa992b16f82d456f017809a9e9138e3c2608832469d0f007af24
-
Filesize
2.9MB
MD52a128b6210b4ffabd736059452a9ec4e
SHA13b9c91d32d342afcf1624a56ff28a0cd4082828b
SHA256ef9d05ba26cc7333bfdc70861ca429b0f25b765b27144c6d88937c97c51cd432
SHA5128a658790c6dcfc23d66fbc5b44e5f5b0afac713e4a304fba4391a80c606da7168d9ec57397e6b873ef5be31592a250833390eb9173225445f7bcbe587355a162
-
Filesize
2.9MB
MD52a128b6210b4ffabd736059452a9ec4e
SHA13b9c91d32d342afcf1624a56ff28a0cd4082828b
SHA256ef9d05ba26cc7333bfdc70861ca429b0f25b765b27144c6d88937c97c51cd432
SHA5128a658790c6dcfc23d66fbc5b44e5f5b0afac713e4a304fba4391a80c606da7168d9ec57397e6b873ef5be31592a250833390eb9173225445f7bcbe587355a162