Analysis
-
max time kernel
809s -
max time network
811s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
08-12-2024 06:28
Static task
static1
Behavioral task
behavioral1
Sample
Gorker Private.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Gorker Private.exe
-
Size
895KB
-
MD5
533cfcfdbce621d1a75048ed80c82113
-
SHA1
b840f235522f8775e0f590d65580fc511c63762e
-
SHA256
8f74d8dcb94fe2599559dee63511ed67eb75fa47cb8b75104002c4baca0e460e
-
SHA512
c2742323604eaf97df952e6082b20e747fb19c227670eccab58a2a329a24239577af1bb1454fb29b23cb7f0108a9eee9592deb51b462aa7dfbaba4bb6ec61668
-
SSDEEP
6144:qt5IG6wZ9AI57tN0rBe6TM05wiBRju4h4/aOnzJRQuMIwy5zn98psF16TrG8PsTu:fYAI+rBjpOUREzLw2f1WrG8HXXQG
Malware Config
Extracted
njrat
0.7d
HacKed
9cpanel.hackcrack.io:3489
Windows Explorer
-
reg_key
Windows Explorer
-
splitter
|'|'|
Signatures
-
Njrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2132 powershell.exe 2576 powershell.exe 60 powershell.exe 1360 powershell.exe 1232 powershell.exe 4496 powershell.exe 2072 powershell.exe 3704 powershell.exe 1232 powershell.exe 4496 powershell.exe 2072 powershell.exe 3704 powershell.exe 2132 powershell.exe 2576 powershell.exe 60 powershell.exe 1360 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4364 netsh.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation Gorker Private.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation version.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 8 IoCs
pid Process 4780 Setup.exe 2576 Setup.exe 772 Gorker Private .exe 3448 svchost.exe 1956 svchost.exe 2816 explorer.exe 2392 version.exe 4848 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini Setup.exe File opened for modification C:\Windows\assembly\Desktop.ini Setup.exe -
Hide Artifacts: Hidden Window 1 TTPs 8 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 1292 cmd.exe 3372 cmd.exe 4612 cmd.exe 3336 cmd.exe 1320 cmd.exe 4004 cmd.exe 548 cmd.exe 4644 cmd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly Setup.exe File created C:\Windows\assembly\Desktop.ini Setup.exe File opened for modification C:\Windows\assembly\Desktop.ini Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Kills process with taskkill 1 IoCs
pid Process 3864 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3448 svchost.exe Token: SeDebugPrivilege 1956 svchost.exe Token: SeDebugPrivilege 2816 explorer.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 3864 taskkill.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 60 powershell.exe Token: SeIncreaseQuotaPrivilege 2072 powershell.exe Token: SeSecurityPrivilege 2072 powershell.exe Token: SeTakeOwnershipPrivilege 2072 powershell.exe Token: SeLoadDriverPrivilege 2072 powershell.exe Token: SeSystemProfilePrivilege 2072 powershell.exe Token: SeSystemtimePrivilege 2072 powershell.exe Token: SeProfSingleProcessPrivilege 2072 powershell.exe Token: SeIncBasePriorityPrivilege 2072 powershell.exe Token: SeCreatePagefilePrivilege 2072 powershell.exe Token: SeBackupPrivilege 2072 powershell.exe Token: SeRestorePrivilege 2072 powershell.exe Token: SeShutdownPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeSystemEnvironmentPrivilege 2072 powershell.exe Token: SeRemoteShutdownPrivilege 2072 powershell.exe Token: SeUndockPrivilege 2072 powershell.exe Token: SeManageVolumePrivilege 2072 powershell.exe Token: 33 2072 powershell.exe Token: 34 2072 powershell.exe Token: 35 2072 powershell.exe Token: 36 2072 powershell.exe Token: SeIncreaseQuotaPrivilege 1360 powershell.exe Token: SeSecurityPrivilege 1360 powershell.exe Token: SeTakeOwnershipPrivilege 1360 powershell.exe Token: SeLoadDriverPrivilege 1360 powershell.exe Token: SeSystemProfilePrivilege 1360 powershell.exe Token: SeSystemtimePrivilege 1360 powershell.exe Token: SeProfSingleProcessPrivilege 1360 powershell.exe Token: SeIncBasePriorityPrivilege 1360 powershell.exe Token: SeCreatePagefilePrivilege 1360 powershell.exe Token: SeBackupPrivilege 1360 powershell.exe Token: SeRestorePrivilege 1360 powershell.exe Token: SeShutdownPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeSystemEnvironmentPrivilege 1360 powershell.exe Token: SeRemoteShutdownPrivilege 1360 powershell.exe Token: SeUndockPrivilege 1360 powershell.exe Token: SeManageVolumePrivilege 1360 powershell.exe Token: 33 1360 powershell.exe Token: 34 1360 powershell.exe Token: 35 1360 powershell.exe Token: 36 1360 powershell.exe Token: SeIncreaseQuotaPrivilege 1232 powershell.exe Token: SeSecurityPrivilege 1232 powershell.exe Token: SeTakeOwnershipPrivilege 1232 powershell.exe Token: SeLoadDriverPrivilege 1232 powershell.exe Token: SeSystemProfilePrivilege 1232 powershell.exe Token: SeSystemtimePrivilege 1232 powershell.exe Token: SeProfSingleProcessPrivilege 1232 powershell.exe Token: SeIncBasePriorityPrivilege 1232 powershell.exe Token: SeCreatePagefilePrivilege 1232 powershell.exe Token: SeBackupPrivilege 1232 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2816 explorer.exe 2816 explorer.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 3816 wrote to memory of 4780 3816 Gorker Private.exe 81 PID 3816 wrote to memory of 4780 3816 Gorker Private.exe 81 PID 3816 wrote to memory of 2576 3816 Gorker Private.exe 82 PID 3816 wrote to memory of 2576 3816 Gorker Private.exe 82 PID 3816 wrote to memory of 772 3816 Gorker Private.exe 83 PID 3816 wrote to memory of 772 3816 Gorker Private.exe 83 PID 2576 wrote to memory of 3448 2576 Setup.exe 87 PID 2576 wrote to memory of 3448 2576 Setup.exe 87 PID 4780 wrote to memory of 1956 4780 Setup.exe 88 PID 4780 wrote to memory of 1956 4780 Setup.exe 88 PID 3448 wrote to memory of 2816 3448 svchost.exe 96 PID 3448 wrote to memory of 2816 3448 svchost.exe 96 PID 2816 wrote to memory of 240 2816 explorer.exe 97 PID 2816 wrote to memory of 240 2816 explorer.exe 97 PID 2392 wrote to memory of 4004 2392 version.exe 100 PID 2392 wrote to memory of 4004 2392 version.exe 100 PID 2392 wrote to memory of 548 2392 version.exe 102 PID 2392 wrote to memory of 548 2392 version.exe 102 PID 2392 wrote to memory of 4644 2392 version.exe 103 PID 2392 wrote to memory of 4644 2392 version.exe 103 PID 2392 wrote to memory of 1292 2392 version.exe 106 PID 2392 wrote to memory of 1292 2392 version.exe 106 PID 2392 wrote to memory of 3372 2392 version.exe 108 PID 2392 wrote to memory of 3372 2392 version.exe 108 PID 2392 wrote to memory of 4612 2392 version.exe 109 PID 2392 wrote to memory of 4612 2392 version.exe 109 PID 2392 wrote to memory of 3336 2392 version.exe 112 PID 2392 wrote to memory of 3336 2392 version.exe 112 PID 2392 wrote to memory of 1320 2392 version.exe 114 PID 2392 wrote to memory of 1320 2392 version.exe 114 PID 4004 wrote to memory of 1360 4004 cmd.exe 115 PID 4004 wrote to memory of 1360 4004 cmd.exe 115 PID 4644 wrote to memory of 1232 4644 cmd.exe 117 PID 4644 wrote to memory of 1232 4644 cmd.exe 117 PID 548 wrote to memory of 4496 548 cmd.exe 120 PID 548 wrote to memory of 4496 548 cmd.exe 120 PID 1292 wrote to memory of 2072 1292 cmd.exe 121 PID 1292 wrote to memory of 2072 1292 cmd.exe 121 PID 3372 wrote to memory of 3704 3372 cmd.exe 122 PID 3372 wrote to memory of 3704 3372 cmd.exe 122 PID 4612 wrote to memory of 2132 4612 cmd.exe 123 PID 4612 wrote to memory of 2132 4612 cmd.exe 123 PID 3336 wrote to memory of 2576 3336 cmd.exe 124 PID 3336 wrote to memory of 2576 3336 cmd.exe 124 PID 1320 wrote to memory of 60 1320 cmd.exe 125 PID 1320 wrote to memory of 60 1320 cmd.exe 125 PID 2816 wrote to memory of 4848 2816 explorer.exe 128 PID 2816 wrote to memory of 4848 2816 explorer.exe 128 PID 4848 wrote to memory of 4364 4848 explorer.exe 129 PID 4848 wrote to memory of 4364 4848 explorer.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gorker Private.exe"C:\Users\Admin\AppData\Local\Temp\Gorker Private.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\2xleldqp.inf5⤵PID:240
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4364
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe"C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe"2⤵
- Executes dropped EXE
PID:772
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3864
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD578e88b59b68685122df5a07de23fe515
SHA115363e1bb7ec6412abdd32358ae7b6693f8e5bdf
SHA256121d105c84aae277a258b9a913d8ee37944e7b5902ae887500e2f33d0761a3cb
SHA512a6eb63f55993ce115117e3d0ba5f004dbf696d8564f7abf6a4637890aa738dae92c9513215c44895572d3ee27cadc4b65d3d83472440cd99fff0c8132b1ae5ec
-
Filesize
676B
MD5326aef9b08f9aac4b3359803fb646042
SHA1dd4982f91e35e71311888fbae0e9e57080f7c656
SHA25608fea848e761b9374668a952190fb3f245fd4a8d349db8c0787b1de595530922
SHA5123d8f37c8f993f6c142dc23a8feeb8eb3001f1c00d419e662f1efcf6bdc6c32184848d68c4919975fa7189fb889c85303b521be8a325b69b6b1b0389834c80d9c
-
Filesize
588B
MD5eb648159b8b127b921f52890c901eb13
SHA1241023158050ae60a070744c2e230afdec4e8785
SHA25604b00e28462a0ea580e983f6ec59cc74267b74ed61cbc708922be3c63d8f4454
SHA512ea5a2310a760ca3ba493683ab33ded218fff681ad9fcf6b8f7e43ac012a7e13cbc384893788e67c30411ca93b3e3118cc98c9259a087513316f2fc9204ac0ff6
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD552ae4ebcfdd8b42cbe61071597ace6f9
SHA11f985550c2bc349d97c42975529620ea6d977b7f
SHA256c420f2961330660532d6083e146c6fd6f316371f6d919f14f471eb952b7c4fd1
SHA512ef65bb8f5713feb53653a3c01dfccd15a047b343840e3cbe2ef090fe797d3ae878693b3709c137678ba5a9e42d5f3420d5bb99c48697066dacbda76f9ddd81a4
-
Filesize
1KB
MD583d94e8aa23c7ad2db6f972739506306
SHA1bd6d73d0417971c0077f772352d2f538a6201024
SHA256dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881
SHA5124224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e
-
Filesize
1KB
MD560b3262c3163ee3d466199160b9ed07d
SHA1994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af
-
Filesize
1KB
MD56a807b1c91ac66f33f88a787d64904c1
SHA183c554c7de04a8115c9005709e5cd01fca82c5d3
SHA256155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256
SHA51229f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200
-
Filesize
619B
MD56f1420f2133f3e08fd8cdea0e1f5fe27
SHA13aa41ec75adc0cf50e001ca91bbfa7f763adf70b
SHA256aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242
SHA512d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa
-
Filesize
401KB
MD555128e0a30d438cb5e4d85beb4d61d4f
SHA1aa99199ae8d2e1471cb9ec3c8fc1c6cfb355c914
SHA2562a2e49592f82336a9d1a01fd190bc44e98b3caf17c05c046f06e8d4549d2930b
SHA51260fedb8c75623fdefd173dae60a1952520699e42acd58b1075303f3d93abad03a1235f19327cfc6204053a29e16ba6a4de14f3e6fc99667a5d0ac75afd283bc3
-
Filesize
477KB
MD50e6c9432cba1614fccc232f201028c72
SHA16082cf9489faa785c066195f108548e705a6d407
SHA256c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8
SHA512c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
357KB
MD5cff755ff758e9e71d0af34017a8e9d8e
SHA18d401767360e61261cee79a18e061d9a0dc95724
SHA256c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2
SHA512a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052
-
Filesize
339KB
MD5301e8d9a2445dd999ce816c17d8dbbb3
SHA1b91163babeb738bd4d0f577ac764cee17fffe564
SHA2562ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb
SHA5124941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3
-
Filesize
140KB
MD5bbf128484e7ea29053c6db91849067ea
SHA1c46ec37265740c349fb265099e47ebbef9369ba1
SHA2565e6f03b5ae15131c2ad374c563273389b3340168ff647433a6b5e7acce468b05
SHA512aeb756d2b2238eaa16a82673b6a86b609320abd6eafc4b742d0f5a9fe88fbbf34a1fd7e6ad9d2f30a832e288a3d7b725a73f83616df1d3edee92c8fd06984e7e
-
Filesize
84KB
MD515ee95bc8e2e65416f2a30cf05ef9c2e
SHA1107ca99d3414642450dec196febcd787ac8d7596
SHA256c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d
SHA512ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98