Analysis
-
max time kernel
89s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 08:08
Behavioral task
behavioral1
Sample
96af9bc7db122e2486c0c1f1b90faacc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
96af9bc7db122e2486c0c1f1b90faacc.exe
Resource
win10v2004-20231222-en
General
-
Target
96af9bc7db122e2486c0c1f1b90faacc.exe
-
Size
95KB
-
MD5
96af9bc7db122e2486c0c1f1b90faacc
-
SHA1
d8c2d6c8218841394847298e1a743f96f012320c
-
SHA256
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
-
SHA512
aee39931c97c57dd4a047f03ea5b61c77fbd06577c5e54dd6bd0035f0cec61ac3754c52f87702797a8332fa234a3ad58a9f8db2d8d57d82348a5557f0448cf78
-
SSDEEP
1536:4F7fHuVP3JODQj6/107WtLuKvGdUNUPOkckQpGR9uwNWnIR/0CHBl2FQf+ry7dE8:27f+P5ODiq67WtzGUNOOX89uwN+Iq8/7
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral2/memory/4888-32-0x0000000005AA0000-0x0000000005CA8000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-34-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-33-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-36-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-38-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-44-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-46-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-42-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-48-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-52-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-54-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-50-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-40-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-56-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-60-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-66-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-64-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-62-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-58-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-68-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-72-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-70-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-76-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-80-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-82-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-86-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-88-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-90-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-84-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-78-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/4888-74-0x0000000005AA0000-0x0000000005CA3000-memory.dmp family_zgrat_v1 behavioral2/memory/2336-986-0x0000000005670000-0x000000000579A000-memory.dmp family_zgrat_v1 behavioral2/memory/644-1957-0x00000000059C0000-0x0000000005AA8000-memory.dmp family_zgrat_v1 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3204 created 2520 3204 Dropakxa.exe 31 PID 3808 created 2520 3808 DropaDkxa.exe 31 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 96af9bc7db122e2486c0c1f1b90faacc.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Dropakxa.exe -
Executes dropped EXE 14 IoCs
pid Process 4888 Dropakxa.exe 2336 BBLb.exe 3204 Dropakxa.exe 3396 BBLb.exe 4920 BBLb.exe 1648 BBLb.exe 4668 BBLb.exe 644 BBLb.exe 2888 DropaDkxa.exe 2424 DropaDkxa.exe 5024 DropaDkxa.exe 3808 DropaDkxa.exe 3612 AttributeString.exe 624 AttributeString.exe -
resource yara_rule behavioral2/memory/4416-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4416-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4416-9-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 4416 set thread context of 3784 4416 96af9bc7db122e2486c0c1f1b90faacc.exe 91 PID 4888 set thread context of 3204 4888 Dropakxa.exe 94 PID 2336 set thread context of 644 2336 BBLb.exe 101 PID 2888 set thread context of 3808 2888 DropaDkxa.exe 110 PID 3612 set thread context of 624 3612 AttributeString.exe 119 PID 624 set thread context of 2944 624 AttributeString.exe 120 PID 2944 set thread context of 1256 2944 InstallUtil.exe 121 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 3940 3204 WerFault.exe 94 3260 3204 WerFault.exe 94 4552 3808 WerFault.exe 110 2976 3808 WerFault.exe 110 -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3204 Dropakxa.exe 3204 Dropakxa.exe 4588 dialer.exe 4588 dialer.exe 4588 dialer.exe 4588 dialer.exe 2336 BBLb.exe 2336 BBLb.exe 2336 BBLb.exe 2336 BBLb.exe 2336 BBLb.exe 2336 BBLb.exe 2336 BBLb.exe 2336 BBLb.exe 3196 powershell.exe 3196 powershell.exe 2888 DropaDkxa.exe 2888 DropaDkxa.exe 2888 DropaDkxa.exe 2888 DropaDkxa.exe 3808 DropaDkxa.exe 3808 DropaDkxa.exe 4900 dialer.exe 4900 dialer.exe 4900 dialer.exe 4900 dialer.exe 624 AttributeString.exe 624 AttributeString.exe 2128 powershell.exe 2128 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4416 96af9bc7db122e2486c0c1f1b90faacc.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4888 Dropakxa.exe Token: SeDebugPrivilege 2336 BBLb.exe Token: SeDebugPrivilege 644 BBLb.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 2888 DropaDkxa.exe Token: SeDebugPrivilege 3612 AttributeString.exe Token: SeDebugPrivilege 624 AttributeString.exe Token: SeDebugPrivilege 2944 InstallUtil.exe Token: SeDebugPrivilege 1256 InstallUtil.exe Token: SeDebugPrivilege 2128 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4416 96af9bc7db122e2486c0c1f1b90faacc.exe 3784 96af9bc7db122e2486c0c1f1b90faacc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4416 wrote to memory of 3784 4416 96af9bc7db122e2486c0c1f1b90faacc.exe 91 PID 4416 wrote to memory of 3784 4416 96af9bc7db122e2486c0c1f1b90faacc.exe 91 PID 4416 wrote to memory of 3784 4416 96af9bc7db122e2486c0c1f1b90faacc.exe 91 PID 4416 wrote to memory of 3784 4416 96af9bc7db122e2486c0c1f1b90faacc.exe 91 PID 3784 wrote to memory of 4888 3784 96af9bc7db122e2486c0c1f1b90faacc.exe 92 PID 3784 wrote to memory of 4888 3784 96af9bc7db122e2486c0c1f1b90faacc.exe 92 PID 3784 wrote to memory of 4888 3784 96af9bc7db122e2486c0c1f1b90faacc.exe 92 PID 4888 wrote to memory of 2336 4888 Dropakxa.exe 93 PID 4888 wrote to memory of 2336 4888 Dropakxa.exe 93 PID 4888 wrote to memory of 2336 4888 Dropakxa.exe 93 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 4888 wrote to memory of 3204 4888 Dropakxa.exe 94 PID 3204 wrote to memory of 4588 3204 Dropakxa.exe 95 PID 3204 wrote to memory of 4588 3204 Dropakxa.exe 95 PID 3204 wrote to memory of 4588 3204 Dropakxa.exe 95 PID 3204 wrote to memory of 4588 3204 Dropakxa.exe 95 PID 3204 wrote to memory of 4588 3204 Dropakxa.exe 95 PID 2336 wrote to memory of 3396 2336 BBLb.exe 105 PID 2336 wrote to memory of 3396 2336 BBLb.exe 105 PID 2336 wrote to memory of 3396 2336 BBLb.exe 105 PID 2336 wrote to memory of 4920 2336 BBLb.exe 104 PID 2336 wrote to memory of 4920 2336 BBLb.exe 104 PID 2336 wrote to memory of 4920 2336 BBLb.exe 104 PID 2336 wrote to memory of 1648 2336 BBLb.exe 103 PID 2336 wrote to memory of 1648 2336 BBLb.exe 103 PID 2336 wrote to memory of 1648 2336 BBLb.exe 103 PID 2336 wrote to memory of 4668 2336 BBLb.exe 102 PID 2336 wrote to memory of 4668 2336 BBLb.exe 102 PID 2336 wrote to memory of 4668 2336 BBLb.exe 102 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 2336 wrote to memory of 644 2336 BBLb.exe 101 PID 3784 wrote to memory of 2888 3784 96af9bc7db122e2486c0c1f1b90faacc.exe 109 PID 3784 wrote to memory of 2888 3784 96af9bc7db122e2486c0c1f1b90faacc.exe 109 PID 3784 wrote to memory of 2888 3784 96af9bc7db122e2486c0c1f1b90faacc.exe 109 PID 2888 wrote to memory of 2424 2888 DropaDkxa.exe 112 PID 2888 wrote to memory of 2424 2888 DropaDkxa.exe 112 PID 2888 wrote to memory of 2424 2888 DropaDkxa.exe 112 PID 2888 wrote to memory of 5024 2888 DropaDkxa.exe 111 PID 2888 wrote to memory of 5024 2888 DropaDkxa.exe 111 PID 2888 wrote to memory of 5024 2888 DropaDkxa.exe 111 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110 PID 2888 wrote to memory of 3808 2888 DropaDkxa.exe 110
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2520
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 03⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exe"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe5⤵
- Executes dropped EXE
PID:4668
-
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe5⤵
- Executes dropped EXE
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe5⤵
- Executes dropped EXE
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe5⤵
- Executes dropped EXE
PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 4485⤵
- Program crash
PID:3940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 4445⤵
- Program crash
PID:3260
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 03⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 4485⤵
- Program crash
PID:4552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 4445⤵
- Program crash
PID:2976
-
-
-
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe4⤵
- Executes dropped EXE
PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe4⤵
- Executes dropped EXE
PID:2424
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 32041⤵PID:1744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3204 -ip 32041⤵PID:2128
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3612 -
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3808 -ip 38081⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3808 -ip 38081⤵PID:3596
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
88KB
MD52b22cd365b89d60afc8d982af0445b0b
SHA1460ed7bbffc79263ae170c0c8dde04ea0baf351e
SHA2562eec3d71d5b8c8d8631c2c344c7d1707b5a56774a2789cb3b2da02e2b586bed7
SHA512868818de4847bf4fa3f25179341cdfbcb8db5690d95218f9c3d1c92aedb9d40658512ec183be099982f7f4059ada6282298f637cadf7ea1ef8e71d239b0dda52
-
Filesize
219KB
MD596ba4df46757c6a1bd023a04b52f0ef3
SHA18ba9cd04ede4d58b17f2a95ba08d46a38ad260ba
SHA25624093264da626aee681a5a77940b0e245f97922e15e894cff35a896fd59b2d9d
SHA512135a4c156ca38f20b238a5e1c826b2c9c3a74fc0196b503d6f2f8bce4e8bad03d3b816c7e7e6b04815f0438a223f8f640345a4a02515a482329984ddfa389518
-
Filesize
92KB
MD54ff4d072e58faa4beb48e1b68f9caaa4
SHA117ecd265ce7fe2fe700f4e3ea9dcb0523e6544fa
SHA25646952fa52b2c831d4e979cc6e768fbf7854de3e54f8242b3ff9e4a61bb28a20f
SHA512ba18c19af1fd0e91f109da33e2ee16f3b95dfed1a5a8e1f72162b1f31b79b36acaac25d7e44971dbd55186c0509dbc71c038a6999b5880b0d40672370e4944ef
-
Filesize
212KB
MD58235de2bd44b82d8c453c0dc6fc1e9ac
SHA199879f32250c63e410f7c0cae1745c6548bacb6d
SHA256faec7fc8a3850e655ff9d124a8dbd3988b68b366ab3868cd5f754cd872d6e4f8
SHA51246dda443890d43c5af81f098d743a758e1c8e46e02cea5f8c767e03e26a0d0fac9e7eacf1b90614a83488f9fbac6cfac750001ff170f9fecff4a351da0a6fd3e
-
Filesize
57KB
MD50c691ee35d3adb7684153fb87c5cafaa
SHA13afb667e74115883949ff75ebc1e04f7160181da
SHA2569ec9dc363b99c762a3097d880d5c017a8eaacfe4d82de757f4c73302d00d4b27
SHA512f8c469e372fbe90415cfd5f0d5531c1d986d2209d480dcda11a40d6fb68edf851ee281c8a1d7d91697a3b443f450cf0ebaab00f36d1dd933232016bb40834eb5
-
Filesize
526KB
MD5f79239265890f8607aef219a912a8215
SHA10f38eaee2654f9b666c434081cb2809f4995f4bb
SHA25632dc338385f8108aa1c2bc20af93d576f66734f989654d480cc161bb100c7bb3
SHA5127f7a5d11b86bd8b79237bb3bbc0261c06ff0a4a70c60276fc3f05153cd299d61976a6f90694d26521ad8d10f01fcf11c4e3780ea914195774a01ebcf4f5e89a0
-
Filesize
529KB
MD59c0962bbea048e2a9de1271b1191745e
SHA1e3993833b14f3c984078966849460b85aa2593b0
SHA256a5e7c49bc2a14562a593bb087ed09f8d9837e889ad2968189cb781a81143cc6f
SHA512e15775ebc62cc0a347cf1799db35cfa9736c6d5ad29b05847b4d5d5dbbf0fdc5799f9a756347114b437d4ddf0c29f05433ac5197b8b2e6803816d7a6d33feeed
-
Filesize
181KB
MD5d66266bdd66df1367606c4c1e3af4491
SHA15ce8e64b2f43ea108282d145dae51f8f0368474d
SHA256ec42eb54b3f3b0d1f86bde3a25b5f7a50caf6219fd2752dc64a6d0cd5043fcd8
SHA5124542f75de2b86fd00736bef4f072484f325f448e1c2b86c8e128dff188b232f30feb44d8c1d610bbec72a9ff6faef43c722dd9f7be56feb77331e4348b62406e
-
Filesize
2.1MB
MD51a917a85dcbb1d3df5f4dd02e3a62873
SHA1567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec
-
Filesize
303KB
MD53cb95105c6a166aefa82f2903580088a
SHA1d2fe8a56874248a903a7a11e20ba30ab299e573c
SHA25606c4b161fcceb223fa477f2e8c38b3905d347ce10d6b7d8aa674fc8c15df5475
SHA51223e4bd4f260538f84a0b5c8893ed2920edaf7d91a55444ac210f9673e5217f377d8cca1ddd9c9691ade75a05befaaa6956ff2deaa392a03db0d1d5970fa6b5e2
-
Filesize
215KB
MD54333389969ba377ea0f16257d84a0e73
SHA118177d88d34be43bb924bdedde7d64d720f4c807
SHA2565170f83f07cc1bc8a3a70742c0094506662ab5885dde11ad443a9d536667d567
SHA5128b97aeb453b12eb944ccf0f2940bde20b50913cf48ca152a65c646f55a5a9d5368ff0fd0bd4bb74bf6e2d2edeae4e348cb75049b85a871f81b16758095cb032d
-
Filesize
169KB
MD5cb5cd0d9238b1f2bc72238039d35896c
SHA1b700917a6ff05a5209e72363c0e3379a698d5b79
SHA2567f2bf75ee96eb6274bccb57730e7aaa8f3fee6cabb82c177a2bdf632402b7de6
SHA512727d16781c51adc33ef05f628b702e3c4e0eee2b2f3b622d0a7c62f92a9d5080db9c40f98766d3aacd53012af04015e513c9c9573b73bb1487ad173a65c3d813
-
Filesize
209KB
MD5bb6f1485ca9bb99bf53960b9d1b327c3
SHA1d8dbfb7c389d34d5dbc717e123e7ffa33db047fa
SHA25653b4a8f6537f5efb5ce99b96a72577e214dfef4e7a6804be88fc38ceaa91e5de
SHA512c46b65d9c307f39d76743a6d5e392663152823d43cf6f59ac04fad69af30636268a8be0b1e11f684d1c33813ed92a29efb1a97480436330747eded4f2ee566e6
-
Filesize
583KB
MD53fe26e4272ee9079eca25927f8fede41
SHA108accd9b1eb94f62679adf32dccf9a48f3d65d62
SHA256f4354f6ba4d415bbe0a2911b9706000da0ec9619c5a97a0f31b3055f05499c1a
SHA5126ea25e86de9fa219dc835d06e7421c33231177df6340af60feafbcf56c032130287f67bb322ff8e3065872cec1a15fc8dad0d8fcea83ccd2fda5326f8d4f7b57
-
Filesize
495KB
MD5aecb18a3caeeac76925892c67314fedb
SHA19a883cdaff6a5d33add9bb4ffea78f5faef9b9a8
SHA2562725c0ccb3490383cfde1baac41dec628d2008be21a66066d2d372bcc4280d25
SHA512dad6af9f6417f92b896592a083c1e8c41458deba52b8d3a96c717cb73fe0e211b2b7d6ef64a50b13a342a0a7bee4e89b65401ae1fe1b05e8bce323de405bb9fa
-
Filesize
386KB
MD54268e4dff85cfe28241b316059d4e62d
SHA1d4485914e31cb7a744219daa4d20da84b5041496
SHA2566875f91d0de394779e082729fd267e458a83d1616ccf8c8f875aaf919d53fa3c
SHA5120d6671b7b40b45f7ee770f0e7f5123b3a9e900ad07c2cfe6a88d4651f0c3ec82cd870a345a87b121a67290cb3fcd626cc262115c127ca2aee724dcf2f0e00d8e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1011KB
MD59b7cb2211782921b151970f3a8fa65b4
SHA1c467cde438253f34bf43f1d3f5eff8905dd0a4fe
SHA256628e02a4973fb578ea9535680b0aed328a6e83b0ec4f9cbf73400249266bb974
SHA51256bde9c7e2aa7a1642c61a723d00114b11ec9a710c709d7f25aee03ebb8396f12316db2f88174fc6c70e391d2559f718b59c8173634859604b93f7ca6f15864d
-
Filesize
1.2MB
MD571eb1bc6e6da380c1cb552d78b391b2a
SHA1df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90
-
Filesize
391KB
MD5ae84ef27afc1add4de241467dd7c8fa9
SHA191187a90f0c9fdc59c325fedcf829bf72414ef37
SHA256cd3dea6a694a94800d902f7daf2bac75d7a004f497716943fd0d262bdad28497
SHA51209d5f1a9b417fa6ce9237a04d954e735ed0a319af01a56589de45a71be3548e17e3884c0d7bd0ce4372be62a4d34e4abbd4c2b2a45eb6c216995033ab207edd8