Analysis
-
max time kernel
14s -
max time network
14s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29/10/2024, 22:04
Static task
static1
General
-
Target
SPOILER_Nextzus_V.8.exe
-
Size
114KB
-
MD5
9a960c4436689eca6d2fba6e25378416
-
SHA1
24597aede4f1c4cefb5da2d581771f294eda21d9
-
SHA256
2b15edfc12f281ececc9e3e26ef466bc37f07b28b15d3f60bcaa77732caf4707
-
SHA512
4b9ef3d8156b81690cc8232a7050c58861bac57c76de24fa20389091423d788f3d08a8970c4dd496cbca54f93c39e43b06b40858a6a1deba9e9fb3ab7c027e63
-
SSDEEP
3072:5S/JCF+HYlSHjQmws4Kfu3EaVZ4g7UiRTwKURLkpf:53F+HY8HjLws4MuUKeg4iRTw1La
Malware Config
Extracted
xworm
185.84.161.64:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0029000000045051-12.dat family_xworm behavioral1/memory/1780-23-0x0000000000450000-0x0000000000468000-memory.dmp family_xworm -
Xworm family
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation SPOILER_Nextzus_V.8.exe -
Executes dropped EXE 1 IoCs
pid Process 1780 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3272 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000776893be030d5aaf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000776893be0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900776893be000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d776893be000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000776893be00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz reg.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\ reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3272 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2172 WMIC.exe 2172 WMIC.exe 2172 WMIC.exe 2172 WMIC.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1780 svchost.exe Token: SeIncreaseQuotaPrivilege 2172 WMIC.exe Token: SeSecurityPrivilege 2172 WMIC.exe Token: SeTakeOwnershipPrivilege 2172 WMIC.exe Token: SeLoadDriverPrivilege 2172 WMIC.exe Token: SeSystemProfilePrivilege 2172 WMIC.exe Token: SeSystemtimePrivilege 2172 WMIC.exe Token: SeProfSingleProcessPrivilege 2172 WMIC.exe Token: SeIncBasePriorityPrivilege 2172 WMIC.exe Token: SeCreatePagefilePrivilege 2172 WMIC.exe Token: SeBackupPrivilege 2172 WMIC.exe Token: SeRestorePrivilege 2172 WMIC.exe Token: SeShutdownPrivilege 2172 WMIC.exe Token: SeDebugPrivilege 2172 WMIC.exe Token: SeSystemEnvironmentPrivilege 2172 WMIC.exe Token: SeRemoteShutdownPrivilege 2172 WMIC.exe Token: SeUndockPrivilege 2172 WMIC.exe Token: SeManageVolumePrivilege 2172 WMIC.exe Token: 33 2172 WMIC.exe Token: 34 2172 WMIC.exe Token: 35 2172 WMIC.exe Token: 36 2172 WMIC.exe Token: SeIncreaseQuotaPrivilege 2172 WMIC.exe Token: SeSecurityPrivilege 2172 WMIC.exe Token: SeTakeOwnershipPrivilege 2172 WMIC.exe Token: SeLoadDriverPrivilege 2172 WMIC.exe Token: SeSystemProfilePrivilege 2172 WMIC.exe Token: SeSystemtimePrivilege 2172 WMIC.exe Token: SeProfSingleProcessPrivilege 2172 WMIC.exe Token: SeIncBasePriorityPrivilege 2172 WMIC.exe Token: SeCreatePagefilePrivilege 2172 WMIC.exe Token: SeBackupPrivilege 2172 WMIC.exe Token: SeRestorePrivilege 2172 WMIC.exe Token: SeShutdownPrivilege 2172 WMIC.exe Token: SeDebugPrivilege 2172 WMIC.exe Token: SeSystemEnvironmentPrivilege 2172 WMIC.exe Token: SeRemoteShutdownPrivilege 2172 WMIC.exe Token: SeUndockPrivilege 2172 WMIC.exe Token: SeManageVolumePrivilege 2172 WMIC.exe Token: 33 2172 WMIC.exe Token: 34 2172 WMIC.exe Token: 35 2172 WMIC.exe Token: 36 2172 WMIC.exe Token: SeBackupPrivilege 2032 vssvc.exe Token: SeRestorePrivilege 2032 vssvc.exe Token: SeAuditPrivilege 2032 vssvc.exe Token: SeBackupPrivilege 932 srtasks.exe Token: SeRestorePrivilege 932 srtasks.exe Token: SeSecurityPrivilege 932 srtasks.exe Token: SeTakeOwnershipPrivilege 932 srtasks.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4612 wrote to memory of 1064 4612 SPOILER_Nextzus_V.8.exe 83 PID 4612 wrote to memory of 1064 4612 SPOILER_Nextzus_V.8.exe 83 PID 4612 wrote to memory of 1780 4612 SPOILER_Nextzus_V.8.exe 85 PID 4612 wrote to memory of 1780 4612 SPOILER_Nextzus_V.8.exe 85 PID 1064 wrote to memory of 3272 1064 cmd.exe 86 PID 1064 wrote to memory of 3272 1064 cmd.exe 86 PID 1064 wrote to memory of 2224 1064 cmd.exe 88 PID 1064 wrote to memory of 2224 1064 cmd.exe 88 PID 1064 wrote to memory of 2004 1064 cmd.exe 89 PID 1064 wrote to memory of 2004 1064 cmd.exe 89 PID 1064 wrote to memory of 2184 1064 cmd.exe 90 PID 1064 wrote to memory of 2184 1064 cmd.exe 90 PID 1064 wrote to memory of 2172 1064 cmd.exe 95 PID 1064 wrote to memory of 2172 1064 cmd.exe 95 PID 1064 wrote to memory of 3720 1064 cmd.exe 102 PID 1064 wrote to memory of 3720 1064 cmd.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPOILER_Nextzus_V.8.exe"C:\Users\Admin\AppData\Local\Temp\SPOILER_Nextzus_V.8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SPOILER_Nextzus_V.8.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\PING.EXEping -n 2 -w 700 google.com3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3272
-
-
C:\Windows\System32\chcp.comchcp 650013⤵PID:2224
-
-
C:\Windows\System32\mode.comMode 120,303⤵PID:2004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:2184
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\default path systemrestore call createrestorepoint "Optimizer by Nextzus V.8", 100, 123⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\reg.exereg export HKEY_LOCAL_MACHINE "C:\Users\Admin\desktop\Nextzus Registry Backup\HKEY_LOCAL_MACHINE_backup.reg"3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:3720
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:41⤵
- Suspicious use of AdjustPrivilegeToken
PID:932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5493070c1a7aa9cba136e822e2a78d0d2
SHA1388b8bde171b0c63c4ec651336afd94ccb418d2b
SHA256ac285288aac599931709c42d152ba4006b14059634d830dd81431d625ef9f63c
SHA5126eeb9a00dd124de7e3fdf52a9e0bdcf5c59361f750e4840bb19768fb60a5f842181fa48e9213fce9c0b27f6879feb95e6dffac4a1cb7a9c30206b8ad03e54c3e
-
Filesize
70KB
MD5ae702d156a2ee10aa0df4e5a365654a1
SHA1bad92787d53da53bda2f180f770752e679ba80c0
SHA25607cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA5123a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c