Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
03-01-2025 18:09
Errors
General
-
Target
PolarBoot.js
-
Size
1KB
-
MD5
23eb8f9e7d4b2191a925c0acec78d846
-
SHA1
023ea9d53ad1d26695c7f9b9f655a8b6bf627eb4
-
SHA256
1d2c73bff499484b33b1457320ff967d48469a96ff41874075bd4e48b6f72906
-
SHA512
c638e22185d10767e6025d444f912be71292c022e8f483efadab31adc6f1a8210922527d2adbc880b99e27941b1eece8960253f28d50a771df8c079e160a23d8
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Enables test signing to bypass driver trust controls 1 TTPs 1 IoCs
Allows any signed driver to load without validation against a trusted certificate authority.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in Windows directory 9 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
NTFS ADS 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PolarBoot.js1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TestMove.rm"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff850aacc40,0x7ff850aacc4c,0x7ff850aacc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4444 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4572,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4300,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4324 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3376,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3320,i,4620191816726505215,15514225744247312216,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4412 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff850753cb8,0x7ff850753cc8,0x7ff850753cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1808,7263732031639513532,3494163268407400510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Spark.exe"C:\Users\Admin\Downloads\Spark.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" -set nointegritychecks on3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" -set testsigning on3⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Subvert Trust Controls
2Code Signing Policy Modification
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD517ee31212ecc42a5afbcf562b125a1e4
SHA1a4b85a18297712ffb8a4767f23e96630d6733cdb
SHA256559f4755e68b3dd5e14cc27ca412df94b4338be2444b1f1ba3c022b2f4a0df97
SHA512b1cd9dc21daec4d4f4adcb1ae04a80e0ba7bcef414f5c77f58f0714629f88171238143aade475d30fc574435d8063a2da543a4e9f2eebb85133a35cc1935ef83
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
216B
MD578dabf30a725534dff82ce764fbc8034
SHA138254bd7218fed95575cbe0b6438c16a9e2c1da3
SHA2563b8f327b8b0c930221c026b5a3c54a4bd9490c7778602150d23708a8202fcbd4
SHA5122dcc9632148a0cb7f66c71dcb4bef7308200e54ca61dc8d84f737abd2cca216774c06e6a578f94c94d5185d4f59bc9b1e3b1de1bf8ce23e8b81286b542c0c098
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2KB
MD5ed6cded504fc1bd8a4e713276a7478b3
SHA19db6861ce0068371e6b2b7754cabdd68cdc8ce5b
SHA2560b11c32f796106cfabeaae174c9233c779dfbb83d7af43ec808f59eb7f0c73f6
SHA5121edf407b686ab7460c457b7119f154a66e4b0fce1a2a1d83101a89ba22528598e61c1e74f987ebf9ff1e29fa555c3cf59909e90a050c781255b634de4c00cc42
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD57952cd2187d00893e4c485adcd03a890
SHA187789d9801a70b4986431c43fac016995c3a183e
SHA2568a1b7313874d3408945806111cc76790c45fb266463603b4695b7ce4b814d02c
SHA5127e2dfa2f57ba1f6327e7fdb5d7577a88594242d567761661e0b95a59e998d65ccad28a56829a368a363b194d48d68e862c0d70dba9d390104797399ce35530e8
-
Filesize
9KB
MD5afa91377d524a4871228b1b8b9d6f874
SHA1135904c297ccdd957d1a61b27e0997bd2878fab8
SHA2568d0051d99cb816088b3159c3d54fcdeacf85a889d2b609377184f539895da1f3
SHA51236c918315194d39f866f00c2b483f7f1ad1008345a4f1db74ae61b73aaa51c3e2b7480a6ff9cf1861035a426c47756f76101aaac9c2549bab1895f0ebcb0e84c
-
Filesize
9KB
MD591299094aa7043b41ca97dc3a493b26e
SHA1a1d6853353078048fb3ccda53fc871deb6b65dc9
SHA2569f72f935f3f69b85b628d0a23dfe9ab1b7aabb5add51c7aafebef829df02291e
SHA5125e4eb9375f6029b372e242e755f59cf9c0ff087515bcedd745ec45418bcf04bd5a1ae382864163ae3a7a18c96a4ae1462220c9258d727fd5b3593e0014b44b30
-
Filesize
15KB
MD53655aebcbef9f8c510b44b07356acddf
SHA1f4f7357b3a676ecb76ba0c6d09295c10d7438337
SHA2567f7a5994e584b70ddfae6ee9b01358d5d58da6ced7977e2c76d32d68462f8195
SHA51289adfcc82bee72789c82d03c8e7ed63abf8d7b60538c3a74b2dd87bbbca311b88533944edcc64d841113f774f96245ee5bba526a38b5c4361fe672bff429c330
-
Filesize
72B
MD515cc093106f3d787dfdb9d2e576859dd
SHA1b701a23aca1b85944f7d1fb63703e628528348e1
SHA2563b7b9ee3fede92ff534fe14b16521bdefafc6c1d69631094439465b3fcbe0a13
SHA5125fd211bc57658937f7506bb28a61a0502176df0a48c63cda01a67fb1353fc13136dee8b024f6d3fe5051d040d0c5827f5d20b91bfc5251ead76cbe2237d91e84
-
Filesize
231KB
MD51b6a057399b18523a4fdd93071f3d477
SHA145cf6606cdb7d105989361370d0118fd1ac3be48
SHA25662165bd2cd5d93de82a7cb4bab37581cf1a5405dc050e315980b4f1d8c476661
SHA512b5a67b8488d7f61a0949a7a29397d6166144bb7f6a7131a3cbf854ee394da5ba2ca7e495b01af100d0d7069128477c65e96f246e6a52b874f88748b71e70d062
-
Filesize
231KB
MD5f639c9fe7af4f860e5fb4d03577c1f9a
SHA16827239bece4e5852cf1536215396c5fc8e7931d
SHA2563af72071ebf6c54d266a4ca69b92871ed103f3dff2607a5e597a8e06eb579251
SHA51208c18f7c1efec13700220b279275887f3df0b00c81d91a1d66bca548edfc9bdfd69efb8b69f06bae42afa5d69cd1135f7366424b79fa6385a66eb6421ab3876b
-
Filesize
152B
MD5051a939f60dced99602add88b5b71f58
SHA1a71acd61be911ff6ff7e5a9e5965597c8c7c0765
SHA2562cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10
SHA512a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f
-
Filesize
152B
MD5003b92b33b2eb97e6c1a0929121829b8
SHA16f18e96c7a2e07fb5a80acb3c9916748fd48827a
SHA2568001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54
SHA51218005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77
-
Filesize
538B
MD5bc61329d2802a28c085a22f46589b56d
SHA1847d6b00c45658e12666c9def287a70d3e64a314
SHA256d24cb4479a72a3c970a54ae94df358f58ea63df0851dc3e4a3403add2b3b9a5a
SHA5126ec325f1adddf7121de1891e24276d53904d3c4a3e348fa2331e43c8b4a3436972f7dd7d0176a54d6e4c01e37da29bb9cf7bde8c03edcc426c51317c4b14ec9b
-
Filesize
47KB
MD59f96d459817e54de2e5c9733a9bbb010
SHA1afbadc759b65670865c10b31b34ca3c3e000cd31
SHA25651b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609
SHA512aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
26KB
MD55dea626a3a08cc0f2676427e427eb467
SHA1ad21ac31d0bbdee76eb909484277421630ea2dbd
SHA256b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6
SHA512118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc
-
Filesize
40KB
MD53051c1e179d84292d3f84a1a0a112c80
SHA1c11a63236373abfe574f2935a0e7024688b71ccb
SHA256992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff
-
Filesize
53KB
MD568f0a51fa86985999964ee43de12cdd5
SHA1bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA5123049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7
-
Filesize
3KB
MD5d6175278d6e423b7d1b791f528226a36
SHA127103d7e744f871c68563595d50a4423bfcab761
SHA256c3311c2d31a122dcc073a4d2be5cc9351e82a036669b07800db59154fabecbec
SHA512a667d8d16db070eda5776a4549774da90915fb38b87de544165654159a7ae1fc559994643c16d58eaf22f605fe9316125106f586822d72599218e7436a71fd1f
-
Filesize
6KB
MD5a5811284c22c4e5161b48e73067f817a
SHA1787c4542a661a13b426aa585e951b633cc942651
SHA25665f5872a9c8a16dc8cf6678ffe2cd424d5437c747f6580ff9c08bb4f4bbd3117
SHA5128fe0d6da3cde0c82bdd02ec95362439a537b09b7d2bd85309215b58c5c21529a59374f52ad36733930da15e6c98607d95da999a79c5474c149b2285dfd95cc47
-
Filesize
6KB
MD5f8c119c2407e7dc9fea069589d526807
SHA1f157a736d0223e0c2ce930c299cdd4eb147e6632
SHA256da6cc4f8d5463478be67e3693d9c82049a1c3e2246a5e33e703eab541b66ad7e
SHA5121f7a00a21a750e9e53d9ab3fffd542d566c04989f5e38665b3815d91dc087fb906556e4e3b98a1c3f20cd329e288123dc776f19bd0dd8c373d75c448f5c70521
-
Filesize
6KB
MD598c6110ca5937c0e91cb4d5b859bcf3d
SHA1c09456b92566a8d001e10be62487aaa12070a008
SHA256c26f33f8ea138d1ed1ce643ec79d7dafa00cf21bfc230c8df8962ca263bd3c49
SHA5127baeed9ff9420c28c44ce78737fba58366af0799e064283f3621cc95c5d6d4f9d448ea5066e5c7826a8855ce3565c77a0668980efc9d824b411aa9ad1847614c
-
Filesize
6KB
MD55572ea7c029f8a09491a350d4ac0be23
SHA1fb52acc755f56323259b8805697b0c141faff90c
SHA256c5c7f2ef8465b62689c0abebff85664766414272ff37ead22b78af7112fe4e3e
SHA512e8cfb41875977173e1b94daf4acfcea7982f615623575e7eada3766a0565155c60eff0ea12e542e6eecec8a51d319d9edd670030f05f4ce9416435de49f5a61f
-
Filesize
5KB
MD5d83116e17ec63e663df944ee075309b0
SHA15c9e15f6542bd6bb21c0cd6596729d5a0d59e3c1
SHA25644775acbc6aec913afe3ed4604498a5092d955218ef2ad74ba9e3b11be529efd
SHA512d22e5ca2831eb38088981ff7719519a9f63142935d2a93069ee9211de3de39193b2dd5181ed8f022e51a64b998f22216c094ecd1fd88346e83d6f104a7dfd3c0
-
Filesize
1KB
MD5d58633f50095847ffdc9ab32c7cfaf02
SHA1af994b84c1025499de25dfae0b6dc0507ec0fb11
SHA256e6a272cac74f5415ab20d585a50e3ba164ac2b8272f2fed5e9c375160a1d59ae
SHA512bdfc24ad9a7f8daa210fc92184928413e152c630ad86689da70a47964d068a608da5d9fcd47096013d3f3a774f441739caea0649e96c3429042624bd5da037e0
-
Filesize
1KB
MD5d470532ffb609308f637a6703a7f0851
SHA18e858a2710aa58e237b081e25c72b606c46f0269
SHA256aab4d4a7adf77ff71b526ca991825009016f99c63aa635161c229b21da0286b5
SHA512328eb2705a83b1981902c3726e807a62275ab2f597f571660b2a52b43ea22f45a38d1981a73db83726cc5dbfa30f931727aabc1da48487ff5190c19b5cf0fd51
-
Filesize
1KB
MD555d2f215d105d1797f8c4c40e41ecde5
SHA109b9eb382723d0c676328dcc8bbc9c9eb27d0a0d
SHA256912d6fac58e4b2537ea39da0dcb4b619d999feb507676e8b815284fcad082a41
SHA5128ce912c0ea74f70920c7ff4e26e6bdc120825b301a35a8a200391a9a392087c8853d4f3ab914040619fe18ffa04b12f1acab0c6016143060553ce517d4226093
-
Filesize
538B
MD54f80d105e71c0de81059c702cfcbd90c
SHA1676f75ef6c8585fb4832cf528a71269270034c0a
SHA256cd5987102dc0b56758ea2c7d4b06d2a5867016e1ab780b9425af3d5e0ff7f6bf
SHA512f24ee0cb45f7e4262b08fb1543d281d3be44b301850fbe32dc566547bab32063ff92198ca46d0d0cea7622ab962068f9d3a2930b1b7442c5441b0a55026b7085
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
11KB
MD5523b5365b6cac915818d85ca682d17df
SHA12b0847a2df4d0033b6d3cd108ffef06b74e39487
SHA256003a721aac433de10d9aa4e71b5cc72630a4f9143a0f0f10143d461d00e1dfa7
SHA51259e71b3a209b1c756e37534d898fbb13875bc24b54032a24bc842e9e92da9ef8fc43020a2d4f270369f8fbdeb1c1fecca9fbc5b80535e5ce363691ae0b64aa60
-
Filesize
10KB
MD5d7d4e9f30d01565d4b53855f04e98462
SHA176a698569140adab71a0d5e6c8b590b8da36b344
SHA256d28916cd3f884151dd873beaa2f2241948e13fbd036a0e168652dca5a7c6d089
SHA5128db386c1e1856e94ffd92b8383cc9477d37b7961676979f2ab8b09570d6cc43cb2553497fda8344d7266228b25dd343ec488093e8ff39ea145158af55b61f3bb
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
18B
MD57337bc512fb513e575fd2d5030d27673
SHA10bd7bd359fed2c0f96ddd58bc5c63c2b3f86c865
SHA256496ec58b8494f7c08a138eaa0722d0d6a96b00161090d42b3e4cc467c35b604c
SHA512fcf25014382252d493f64ba0b43a854a7d6b9c5f67ea0b977fdd2f2035b7dc4bde403464fb6c738663eed38fdeab47f8aa3b3f02b9cb6ec37d8b92f49070777d
-
Filesize
229B
MD5758089c6ecf325f074440acf9dc5edb3
SHA105b48d6f2da91858ce85942b6add34faf13680a1
SHA2569280ef9d638512985f0c233caf2de9482b961e8450fe1681f15b0e85d21f6a01
SHA51257b40e424bcbdb61477084fe38fb5e46debcb8af59b32b17f53286504c621aafccccb082364c44de2867a3814fdc1287885b6e965ce61669286f43c1a2ed8f44
-
Filesize
495KB
MD5181ee63003e5c3ec8c378030286ed7a2
SHA16707f3a0906ab6d201edc5b6389f9e66e345f174
SHA25655bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe
SHA512e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92
-
Filesize
116KB
MD5a61c26b360471c8258c7571037c4bca0
SHA15db105e0384f25b1ab165c10a9445e6b943cd0ff
SHA256e77316a1fd682e1af8af3ccd03c170f886b9ec8edf7013e1be6a6207cb5a6f16
SHA5123ef680d50ccfa4311d3d1bec1648c48cf8e8633353dea5e06f52339047ede36fd1655ce728541e769d9fcaa6ab8c2a66981aef708a9f4d05ae46ad26f9d6aef4
-
Filesize
512KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
336KB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
16.7MB
-
Filesize
992KB