Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 15:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll
Resource
win7-20240508-en
windows7-x64
15 signatures
150 seconds
General
-
Target
6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll
-
Size
120KB
-
MD5
6f7924bc5c686401699d098dc0498c00
-
SHA1
86b16449afe356b0ab996c9c0b7f4733bf76c3ff
-
SHA256
d2070dbf5078d10ae21ce0c59be425827ad6ccadc321e519ec54461c12b49ade
-
SHA512
f21790a6a8841146fb7a48bf35a9054141d15280885d43d1f1fe6beb5e3cd9ff5372a4e778b9c94e8e19d0f08ee3a4366b4bbea9fea541bdee2b281efe8450ac
-
SSDEEP
1536:HnRNW0YPy+XeCT2L5YSvHSRSjRU8KBPoo//B6EcjAvf0ArtPOA3:HnRNW0Ya+XTe5YMjTyPooB605POA3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57467f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57467f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57467f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57467f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576254.exe -
Executes dropped EXE 3 IoCs
pid Process 3932 e57467f.exe 2232 e5747b7.exe 3948 e576254.exe -
resource yara_rule behavioral2/memory/3932-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-25-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-19-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-27-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-18-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-17-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-41-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-42-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-51-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-53-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-54-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-64-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-66-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-70-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-71-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-72-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-73-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-78-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-79-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-86-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3932-89-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3948-116-0x0000000000B70000-0x0000000001C2A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576254.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576254.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57467f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57467f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576254.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57467f.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57467f.exe File opened (read-only) \??\J: e57467f.exe File opened (read-only) \??\G: e57467f.exe File opened (read-only) \??\L: e57467f.exe File opened (read-only) \??\O: e57467f.exe File opened (read-only) \??\Q: e57467f.exe File opened (read-only) \??\R: e57467f.exe File opened (read-only) \??\M: e57467f.exe File opened (read-only) \??\P: e57467f.exe File opened (read-only) \??\S: e57467f.exe File opened (read-only) \??\E: e57467f.exe File opened (read-only) \??\I: e57467f.exe File opened (read-only) \??\K: e57467f.exe File opened (read-only) \??\N: e57467f.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e57467f.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57467f.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57467f.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57467f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5746cd e57467f.exe File opened for modification C:\Windows\SYSTEM.INI e57467f.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3932 e57467f.exe 3932 e57467f.exe 3932 e57467f.exe 3932 e57467f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe Token: SeDebugPrivilege 3932 e57467f.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1376 wrote to memory of 4272 1376 rundll32.exe 83 PID 1376 wrote to memory of 4272 1376 rundll32.exe 83 PID 1376 wrote to memory of 4272 1376 rundll32.exe 83 PID 4272 wrote to memory of 3932 4272 rundll32.exe 84 PID 4272 wrote to memory of 3932 4272 rundll32.exe 84 PID 4272 wrote to memory of 3932 4272 rundll32.exe 84 PID 3932 wrote to memory of 780 3932 e57467f.exe 8 PID 3932 wrote to memory of 788 3932 e57467f.exe 9 PID 3932 wrote to memory of 64 3932 e57467f.exe 13 PID 3932 wrote to memory of 2900 3932 e57467f.exe 50 PID 3932 wrote to memory of 2944 3932 e57467f.exe 51 PID 3932 wrote to memory of 2876 3932 e57467f.exe 53 PID 3932 wrote to memory of 3436 3932 e57467f.exe 56 PID 3932 wrote to memory of 3556 3932 e57467f.exe 57 PID 3932 wrote to memory of 3736 3932 e57467f.exe 58 PID 3932 wrote to memory of 3836 3932 e57467f.exe 59 PID 3932 wrote to memory of 3896 3932 e57467f.exe 60 PID 3932 wrote to memory of 3980 3932 e57467f.exe 61 PID 3932 wrote to memory of 4072 3932 e57467f.exe 62 PID 3932 wrote to memory of 4892 3932 e57467f.exe 74 PID 3932 wrote to memory of 1616 3932 e57467f.exe 75 PID 3932 wrote to memory of 4256 3932 e57467f.exe 80 PID 3932 wrote to memory of 1520 3932 e57467f.exe 81 PID 3932 wrote to memory of 1376 3932 e57467f.exe 82 PID 3932 wrote to memory of 4272 3932 e57467f.exe 83 PID 3932 wrote to memory of 4272 3932 e57467f.exe 83 PID 4272 wrote to memory of 2232 4272 rundll32.exe 85 PID 4272 wrote to memory of 2232 4272 rundll32.exe 85 PID 4272 wrote to memory of 2232 4272 rundll32.exe 85 PID 4272 wrote to memory of 3948 4272 rundll32.exe 95 PID 4272 wrote to memory of 3948 4272 rundll32.exe 95 PID 4272 wrote to memory of 3948 4272 rundll32.exe 95 PID 3932 wrote to memory of 780 3932 e57467f.exe 8 PID 3932 wrote to memory of 788 3932 e57467f.exe 9 PID 3932 wrote to memory of 64 3932 e57467f.exe 13 PID 3932 wrote to memory of 2900 3932 e57467f.exe 50 PID 3932 wrote to memory of 2944 3932 e57467f.exe 51 PID 3932 wrote to memory of 2876 3932 e57467f.exe 53 PID 3932 wrote to memory of 3436 3932 e57467f.exe 56 PID 3932 wrote to memory of 3556 3932 e57467f.exe 57 PID 3932 wrote to memory of 3736 3932 e57467f.exe 58 PID 3932 wrote to memory of 3836 3932 e57467f.exe 59 PID 3932 wrote to memory of 3896 3932 e57467f.exe 60 PID 3932 wrote to memory of 3980 3932 e57467f.exe 61 PID 3932 wrote to memory of 4072 3932 e57467f.exe 62 PID 3932 wrote to memory of 4892 3932 e57467f.exe 74 PID 3932 wrote to memory of 1616 3932 e57467f.exe 75 PID 3932 wrote to memory of 4256 3932 e57467f.exe 80 PID 3932 wrote to memory of 2232 3932 e57467f.exe 85 PID 3932 wrote to memory of 2232 3932 e57467f.exe 85 PID 3932 wrote to memory of 764 3932 e57467f.exe 87 PID 3932 wrote to memory of 1460 3932 e57467f.exe 88 PID 3932 wrote to memory of 3948 3932 e57467f.exe 95 PID 3932 wrote to memory of 3948 3932 e57467f.exe 95 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57467f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2900
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2944
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2876
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\e57467f.exeC:\Users\Admin\AppData\Local\Temp\e57467f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\e5747b7.exeC:\Users\Admin\AppData\Local\Temp\e5747b7.exe4⤵
- Executes dropped EXE
PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\e576254.exeC:\Users\Admin\AppData\Local\Temp\e576254.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:3948
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1616
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4256
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1520
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1460
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e8050c63a2d6a65a44adf703de2d46d2
SHA1bee5559436f1c2937514b962cf3ed28d04a7df34
SHA25604c95726d7333dd5f54df4925ba9a2feb736439e86fd243199b897f76ff75c51
SHA512b6a7beaf088f17adb817a32e309a30426eae975231cc9598f32fe97f7f744a4895e9cbd98e46f06f258fca883be7b67850e9a819097858b0778ae6fb2dc628ce