Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 02:54
Static task
static1
Behavioral task
behavioral1
Sample
7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
Resource
win10v2004-20230915-en
General
-
Target
7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
-
Size
5.7MB
-
MD5
706704da7601ee1d23e0b4e1ddb7966f
-
SHA1
1234d648ff9d7625aa9b8c43295df2cfbb15c967
-
SHA256
7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924
-
SHA512
a8c1ac73787a7638d064a93a0f8b7db0e10eef685c54397932e5faafac52558e0e762ef418640dda0dcd54bb542256db71acc17c2c03f1f20e1e43301308964c
-
SSDEEP
98304:1zw2cH457oTOfe6WEEH8gSLO6ZWBGhusJVjnnCZWq82zPJJlKpSGchcBrahwNO+t:xcH45kGe6WEnXZW14VjnC8u5KpSGcaBD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 2 IoCs
pid Process 4612 DongleServer.exe 2780 DongleServer.exe -
Loads dropped DLL 9 IoCs
pid Process 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe -
resource yara_rule behavioral2/files/0x00070000000231b8-26.dat vmprotect behavioral2/files/0x00070000000231b8-27.dat vmprotect behavioral2/memory/4612-28-0x0000000062C20000-0x0000000062C5C000-memory.dmp vmprotect behavioral2/memory/4612-76-0x0000000062C20000-0x0000000062C5C000-memory.dmp vmprotect behavioral2/files/0x00070000000231b8-83.dat vmprotect behavioral2/memory/2780-149-0x0000000062C20000-0x0000000062C5C000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4612 DongleServer.exe 2780 DongleServer.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\Crack4Dental.bat 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\Crack4Dental.bat 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\3s.dat 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\__tmp_rar_sfx_access_check_240615078 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\3s.dat 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1944 sc.exe 2236 sc.exe 2980 sc.exe 4680 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
pid Process 208 taskkill.exe 4756 taskkill.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" DongleServer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings mshta.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 4612 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe 2780 DongleServer.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 208 taskkill.exe Token: SeDebugPrivilege 4756 taskkill.exe Token: SeDebugPrivilege 4612 DongleServer.exe Token: SeDebugPrivilege 2780 DongleServer.exe Token: SeShutdownPrivilege 4104 powercfg.exe Token: SeCreatePagefilePrivilege 4104 powercfg.exe Token: SeShutdownPrivilege 2312 powercfg.exe Token: SeCreatePagefilePrivilege 2312 powercfg.exe Token: SeShutdownPrivilege 4524 powercfg.exe Token: SeCreatePagefilePrivilege 4524 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeCreatePagefilePrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 640 powercfg.exe Token: SeCreatePagefilePrivilege 640 powercfg.exe Token: SeShutdownPrivilege 2096 powercfg.exe Token: SeCreatePagefilePrivilege 2096 powercfg.exe Token: SeShutdownPrivilege 4316 powercfg.exe Token: SeCreatePagefilePrivilege 4316 powercfg.exe Token: SeShutdownPrivilege 396 powercfg.exe Token: SeCreatePagefilePrivilege 396 powercfg.exe Token: SeShutdownPrivilege 3732 powercfg.exe Token: SeCreatePagefilePrivilege 3732 powercfg.exe Token: SeShutdownPrivilege 4236 powercfg.exe Token: SeCreatePagefilePrivilege 4236 powercfg.exe Token: SeShutdownPrivilege 1580 powercfg.exe Token: SeCreatePagefilePrivilege 1580 powercfg.exe Token: SeShutdownPrivilege 2408 powercfg.exe Token: SeCreatePagefilePrivilege 2408 powercfg.exe Token: SeShutdownPrivilege 448 powercfg.exe Token: SeCreatePagefilePrivilege 448 powercfg.exe Token: SeShutdownPrivilege 4612 powercfg.exe Token: SeCreatePagefilePrivilege 4612 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 208 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 86 PID 1820 wrote to memory of 208 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 86 PID 1820 wrote to memory of 208 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 86 PID 1820 wrote to memory of 4756 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 89 PID 1820 wrote to memory of 4756 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 89 PID 1820 wrote to memory of 4756 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 89 PID 1820 wrote to memory of 4216 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 92 PID 1820 wrote to memory of 4216 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 92 PID 1820 wrote to memory of 4216 1820 7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe 92 PID 4216 wrote to memory of 4120 4216 cmd.exe 95 PID 4216 wrote to memory of 4120 4216 cmd.exe 95 PID 4216 wrote to memory of 4120 4216 cmd.exe 95 PID 4216 wrote to memory of 1056 4216 cmd.exe 96 PID 4216 wrote to memory of 1056 4216 cmd.exe 96 PID 4216 wrote to memory of 1056 4216 cmd.exe 96 PID 4216 wrote to memory of 4504 4216 cmd.exe 98 PID 4216 wrote to memory of 4504 4216 cmd.exe 98 PID 4216 wrote to memory of 4504 4216 cmd.exe 98 PID 4504 wrote to memory of 3244 4504 mshta.exe 101 PID 4504 wrote to memory of 3244 4504 mshta.exe 101 PID 4504 wrote to memory of 3244 4504 mshta.exe 101 PID 3244 wrote to memory of 1944 3244 cmd.exe 103 PID 3244 wrote to memory of 1944 3244 cmd.exe 103 PID 3244 wrote to memory of 1944 3244 cmd.exe 103 PID 3244 wrote to memory of 2236 3244 cmd.exe 104 PID 3244 wrote to memory of 2236 3244 cmd.exe 104 PID 3244 wrote to memory of 2236 3244 cmd.exe 104 PID 3244 wrote to memory of 2980 3244 cmd.exe 105 PID 3244 wrote to memory of 2980 3244 cmd.exe 105 PID 3244 wrote to memory of 2980 3244 cmd.exe 105 PID 3244 wrote to memory of 4680 3244 cmd.exe 106 PID 3244 wrote to memory of 4680 3244 cmd.exe 106 PID 3244 wrote to memory of 4680 3244 cmd.exe 106 PID 3244 wrote to memory of 4612 3244 cmd.exe 107 PID 3244 wrote to memory of 4612 3244 cmd.exe 107 PID 3244 wrote to memory of 4612 3244 cmd.exe 107 PID 3244 wrote to memory of 440 3244 cmd.exe 110 PID 3244 wrote to memory of 440 3244 cmd.exe 110 PID 3244 wrote to memory of 440 3244 cmd.exe 110 PID 440 wrote to memory of 4780 440 net.exe 111 PID 440 wrote to memory of 4780 440 net.exe 111 PID 440 wrote to memory of 4780 440 net.exe 111 PID 2780 wrote to memory of 4104 2780 DongleServer.exe 115 PID 2780 wrote to memory of 4104 2780 DongleServer.exe 115 PID 2780 wrote to memory of 4104 2780 DongleServer.exe 115 PID 2780 wrote to memory of 2312 2780 DongleServer.exe 118 PID 2780 wrote to memory of 2312 2780 DongleServer.exe 118 PID 2780 wrote to memory of 2312 2780 DongleServer.exe 118 PID 2780 wrote to memory of 4524 2780 DongleServer.exe 119 PID 2780 wrote to memory of 4524 2780 DongleServer.exe 119 PID 2780 wrote to memory of 4524 2780 DongleServer.exe 119 PID 2780 wrote to memory of 1632 2780 DongleServer.exe 122 PID 2780 wrote to memory of 1632 2780 DongleServer.exe 122 PID 2780 wrote to memory of 1632 2780 DongleServer.exe 122 PID 2780 wrote to memory of 640 2780 DongleServer.exe 123 PID 2780 wrote to memory of 640 2780 DongleServer.exe 123 PID 2780 wrote to memory of 640 2780 DongleServer.exe 123 PID 2780 wrote to memory of 2096 2780 DongleServer.exe 125 PID 2780 wrote to memory of 2096 2780 DongleServer.exe 125 PID 2780 wrote to memory of 2096 2780 DongleServer.exe 125 PID 2780 wrote to memory of 4316 2780 DongleServer.exe 127 PID 2780 wrote to memory of 4316 2780 DongleServer.exe 127 PID 2780 wrote to memory of 4316 2780 DongleServer.exe 127 PID 2780 wrote to memory of 396 2780 DongleServer.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe"C:\Users\Admin\AppData\Local\Temp\7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /t /im "DongleServer.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /t /im "DentalDesktopServer.NTService.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\3Shape\Dongle Server Service\Crack4Dental.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver"3⤵PID:4120
-
-
C:\Windows\SysWOW64\find.exefind "5."3⤵PID:1056
-
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\PROGRA~2\3Shape\DONGLE~1\CRACK4~1.BAT","goto :Admin","","runas",1)(window.close)3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\PROGRA~2\3Shape\DONGLE~1\CRACK4~1.BAT" goto :Admin4⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DentalUpdater start=auto5⤵
- Launches sc.exe
PID:1944
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config ThreeShapeDentalManagerService start=auto5⤵
- Launches sc.exe
PID:2236
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DongleServerService start=auto5⤵
- Launches sc.exe
PID:2980
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DentalDesktopServer start=auto5⤵
- Launches sc.exe
PID:4680
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe" /install /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\System32\net start DongleServerService5⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start DongleServerService6⤵PID:4780
-
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\System32\net start DentalDesktopServer5⤵PID:2900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start DentalDesktopServer6⤵PID:2844
-
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\System32\net start ThreeShapeDentalManagerService5⤵PID:832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start ThreeShapeDentalManagerService6⤵PID:4188
-
-
-
-
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD50230a9f24d7fa8759f457d17452b909e
SHA1c176b404560260cdad3a1ad2143784c13176dff1
SHA25698271745c1eca49fff504d936f75cbc101050085760aadc8311c1a5eedcbb81b
SHA5125699bfb1e4136ed718f9ec6d25ebfa6d6e788f5cff189f721195be136de7f3b8509520e58bb9b188c31f39ff719a2d208efbc39b84a6abaaaa543198a8c0d0bc
-
Filesize
112KB
MD50230a9f24d7fa8759f457d17452b909e
SHA1c176b404560260cdad3a1ad2143784c13176dff1
SHA25698271745c1eca49fff504d936f75cbc101050085760aadc8311c1a5eedcbb81b
SHA5125699bfb1e4136ed718f9ec6d25ebfa6d6e788f5cff189f721195be136de7f3b8509520e58bb9b188c31f39ff719a2d208efbc39b84a6abaaaa543198a8c0d0bc
-
Filesize
112KB
MD50230a9f24d7fa8759f457d17452b909e
SHA1c176b404560260cdad3a1ad2143784c13176dff1
SHA25698271745c1eca49fff504d936f75cbc101050085760aadc8311c1a5eedcbb81b
SHA5125699bfb1e4136ed718f9ec6d25ebfa6d6e788f5cff189f721195be136de7f3b8509520e58bb9b188c31f39ff719a2d208efbc39b84a6abaaaa543198a8c0d0bc
-
Filesize
1KB
MD503e755200772d78f08a5a15b66cfa1b6
SHA142e903a8ad88437765bc9de32444a108fab765c2
SHA256ff6b53313e59b2b77abd2e2ee5fe590f5cbeecf8785bee279a4f312f3bf48783
SHA512f7863f1dfccb6d7c2b5d57965702d5614a961df2770a0f5eb41a54ad274e879d59bec0f7fc0f8e7a2d00138c9b77c1a1a9d091574021b1256559fc592fe5d325
-
Filesize
1KB
MD5e1f27afeac3b5a37368e89db21f6510b
SHA1e38e0b2fe09317ea43171e7d88890f796390f4d8
SHA256ec1a552aef8bff45fbeed30309e1618ce816767a741f15073e08ab1acf5d5839
SHA5128dab8969128640e57089f6807c57dd63f594a98809b52db320aee44958f7fb3dd5877989a8aa03e130696758701e586ae442a7ce4cec3b28a1ea80c646c98f38
-
Filesize
95KB
MD537850c457c42e8b48b4b4dd8255fcbac
SHA139e9ab478096b3186ba99930952339e648a37247
SHA256c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224
SHA51245e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8
-
Filesize
151KB
MD542772d7f0cf71d62f307408419ff8162
SHA1a8be2f013fbb7851799b4e255791b8a5bf24bca6
SHA256e8ed3378b1dcf98650f20c1a44cf08b5d82f2a632200570ea7954d5fbc1c3372
SHA5127b8a9369beb0dbdb9fe93e434b87a4d5be513cce82d0e205c3c7268684899021010f47ae215caf92442ddbd7dd779ae67c21279e3a816d522400cc58ad619b45
-
Filesize
151KB
MD542772d7f0cf71d62f307408419ff8162
SHA1a8be2f013fbb7851799b4e255791b8a5bf24bca6
SHA256e8ed3378b1dcf98650f20c1a44cf08b5d82f2a632200570ea7954d5fbc1c3372
SHA5127b8a9369beb0dbdb9fe93e434b87a4d5be513cce82d0e205c3c7268684899021010f47ae215caf92442ddbd7dd779ae67c21279e3a816d522400cc58ad619b45
-
Filesize
151KB
MD542772d7f0cf71d62f307408419ff8162
SHA1a8be2f013fbb7851799b4e255791b8a5bf24bca6
SHA256e8ed3378b1dcf98650f20c1a44cf08b5d82f2a632200570ea7954d5fbc1c3372
SHA5127b8a9369beb0dbdb9fe93e434b87a4d5be513cce82d0e205c3c7268684899021010f47ae215caf92442ddbd7dd779ae67c21279e3a816d522400cc58ad619b45
-
Filesize
5.2MB
MD5e819c6b87d38f3f2ab9dba469adff60e
SHA197d0f78c839da1a075f3554506d71d801429e8b0
SHA256e598cb8d49c566f7a818a03ed979a4433a29b08f5adcd8067b1ced7303dad4b3
SHA512594ea7dbcdfbc9e886b31a9bff00d3c9f5ad79acfb8194bee58fd7b9bd5360cbd0202b53bf8e4aa8c099e0cd7d7d79b8283cd829f3834d2a2b1f1f5f52b5bf83
-
Filesize
5.2MB
MD5e819c6b87d38f3f2ab9dba469adff60e
SHA197d0f78c839da1a075f3554506d71d801429e8b0
SHA256e598cb8d49c566f7a818a03ed979a4433a29b08f5adcd8067b1ced7303dad4b3
SHA512594ea7dbcdfbc9e886b31a9bff00d3c9f5ad79acfb8194bee58fd7b9bd5360cbd0202b53bf8e4aa8c099e0cd7d7d79b8283cd829f3834d2a2b1f1f5f52b5bf83
-
Filesize
5.2MB
MD5e819c6b87d38f3f2ab9dba469adff60e
SHA197d0f78c839da1a075f3554506d71d801429e8b0
SHA256e598cb8d49c566f7a818a03ed979a4433a29b08f5adcd8067b1ced7303dad4b3
SHA512594ea7dbcdfbc9e886b31a9bff00d3c9f5ad79acfb8194bee58fd7b9bd5360cbd0202b53bf8e4aa8c099e0cd7d7d79b8283cd829f3834d2a2b1f1f5f52b5bf83
-
Filesize
290B
MD5b866bddd9e4eb75148b5d884f42886bf
SHA109d37ce55fa7ccc563432212e8e1832dae7c2779
SHA256b6346dd6259e0dc254dc51a41898d6e2f3db66783c15910a3bd594c5b091aacf
SHA512588139af7753d715eeac92e3526ca8f2d9a8d0673f727ebb9abdd7312205fb21fb495894ea11421e035e0da87e02819330303e48e77ee1b7c1ed57d00bbf735a
-
Filesize
581B
MD5c9cf83c3e2068cb8d3d6a75096ed4f0c
SHA1647bc9eddc3e863807ccea1bbd9fd7e0f270b7c8
SHA256073651fc93394e138b41330db4172fb02e08867a1cb661960e1d7d873791bfd6
SHA5120c1c13306dc7dbb93ff524bfb00b1330bd70b65043ab56a6d5fd6d1639dc6f6472fa4086e1596839556f16af9b7bc51168bf0f4b84f90113498f9323ed81a2ec
-
Filesize
3.6MB
MD5c3ba93bd9cfb4a0f88499512251de2d0
SHA1e4a820d34bf0be8c72992509430ecc0f29c0ee3d
SHA2562f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6
SHA512018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a
-
Filesize
3.6MB
MD5c3ba93bd9cfb4a0f88499512251de2d0
SHA1e4a820d34bf0be8c72992509430ecc0f29c0ee3d
SHA2562f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6
SHA512018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a
-
Filesize
3.6MB
MD5c3ba93bd9cfb4a0f88499512251de2d0
SHA1e4a820d34bf0be8c72992509430ecc0f29c0ee3d
SHA2562f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6
SHA512018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a
-
Filesize
95KB
MD537850c457c42e8b48b4b4dd8255fcbac
SHA139e9ab478096b3186ba99930952339e648a37247
SHA256c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224
SHA51245e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8
-
Filesize
95KB
MD537850c457c42e8b48b4b4dd8255fcbac
SHA139e9ab478096b3186ba99930952339e648a37247
SHA256c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224
SHA51245e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8
-
Filesize
3.6MB
MD5c3ba93bd9cfb4a0f88499512251de2d0
SHA1e4a820d34bf0be8c72992509430ecc0f29c0ee3d
SHA2562f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6
SHA512018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a