Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 04:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
General
-
Target
f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe
-
Size
1.2MB
-
MD5
2c73ddb33c7d5b00141a855fa75f41a6
-
SHA1
b0c99c382bb4088aea00f6a3e33b4585e82691e7
-
SHA256
f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93
-
SHA512
db28f4be1cd33ba627725d4029bd89d55f979cdc1ecd409166276585dc84f739ed7b3407c8dddce1103eb18617f666ee89f114f2c56731907683a717e2d0d82b
-
SSDEEP
24576:C8+8EL5BMYsVNRV59BuiJqueyyGmGanfGXXvriy2dYCf6Yq41twdKv1KxckwF7hO:C8A0NRV59BuiJqueyyGmGanfGXXvriyT
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\I: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\K: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\N: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\R: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\W: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\Y: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\L: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\Q: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\V: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\J: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\O: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\S: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\T: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\U: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\E: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\H: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\M: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\P: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\X: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\Z: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification F:\autorun.inf f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
resource yara_rule behavioral2/memory/5104-1-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-3-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-17-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-6-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-5-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-13-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-7-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-18-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-20-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-21-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-22-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-23-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-24-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-25-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-26-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-28-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-29-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-81-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-83-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-84-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-87-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-89-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-92-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-94-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-96-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-97-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-161-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-162-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-163-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-217-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-219-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-222-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-223-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-225-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-227-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-229-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-230-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-231-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-289-0x00000000024C0000-0x000000000357A000-memory.dmp upx behavioral2/memory/5104-345-0x00000000024C0000-0x000000000357A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\7-Zip\7zG.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\7-Zip\7z.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5798b6 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Windows\SYSTEM.INI f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5104 wrote to memory of 800 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 5104 wrote to memory of 804 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 10 PID 5104 wrote to memory of 400 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 5104 wrote to memory of 2852 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 49 PID 5104 wrote to memory of 2892 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 50 PID 5104 wrote to memory of 2880 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 52 PID 5104 wrote to memory of 3472 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 5104 wrote to memory of 3632 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 5104 wrote to memory of 3832 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 5104 wrote to memory of 3916 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 5104 wrote to memory of 3988 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 5104 wrote to memory of 4088 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 5104 wrote to memory of 4180 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 5104 wrote to memory of 2140 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 75 PID 5104 wrote to memory of 3468 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 76 PID 5104 wrote to memory of 800 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 5104 wrote to memory of 804 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 10 PID 5104 wrote to memory of 400 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 5104 wrote to memory of 2852 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 49 PID 5104 wrote to memory of 2892 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 50 PID 5104 wrote to memory of 2880 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 52 PID 5104 wrote to memory of 3472 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 5104 wrote to memory of 3632 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 5104 wrote to memory of 3832 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 5104 wrote to memory of 3916 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 5104 wrote to memory of 3988 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 5104 wrote to memory of 4088 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 5104 wrote to memory of 4180 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 5104 wrote to memory of 2140 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 75 PID 5104 wrote to memory of 3468 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 76 PID 5104 wrote to memory of 800 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 5104 wrote to memory of 804 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 10 PID 5104 wrote to memory of 400 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 5104 wrote to memory of 2852 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 49 PID 5104 wrote to memory of 2892 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 50 PID 5104 wrote to memory of 2880 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 52 PID 5104 wrote to memory of 3472 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 5104 wrote to memory of 3632 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 5104 wrote to memory of 3832 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 5104 wrote to memory of 3916 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 5104 wrote to memory of 3988 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 5104 wrote to memory of 4088 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 5104 wrote to memory of 4180 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 5104 wrote to memory of 2140 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 75 PID 5104 wrote to memory of 3468 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 76 PID 5104 wrote to memory of 800 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 5104 wrote to memory of 804 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 10 PID 5104 wrote to memory of 400 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 5104 wrote to memory of 2852 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 49 PID 5104 wrote to memory of 2892 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 50 PID 5104 wrote to memory of 2880 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 52 PID 5104 wrote to memory of 3472 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 5104 wrote to memory of 3632 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 5104 wrote to memory of 3832 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 5104 wrote to memory of 3916 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 5104 wrote to memory of 3988 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 5104 wrote to memory of 4088 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 5104 wrote to memory of 4180 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 5104 wrote to memory of 2140 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 75 PID 5104 wrote to memory of 3468 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 76 PID 5104 wrote to memory of 800 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 5104 wrote to memory of 804 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 10 PID 5104 wrote to memory of 400 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 5104 wrote to memory of 2852 5104 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 49 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:400
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2892
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2880
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe"C:\Users\Admin\AppData\Local\Temp\f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5104
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4180
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3468
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
899B
MD505d49d1580bdcc4ece535255b937c4fe
SHA1edbc077620013207c115cc678067c3098bb246a7
SHA25688ed3bf5ced4fca5d992ca7e5f5b6cd08d6b08e65bdd90a8027486e95082274a
SHA512e9b5f9597978fcd21d7ab9bacf8d7c7af1942352438dcbaf7cafeaa1c48089abfc631b69acdc85c80bcbaaab01ec7df4fa3fd8fadee4b63c8f3978f1053635bc
-
Filesize
899B
MD5c3ca3df94fe4191a6cc858abd987a7f2
SHA1274228ca48671785d96461eb13e7b9fc61d9a91b
SHA25689e06d492e1084519b7f245eeced9edd3b6d713d438e2636c426a2daf802bad6
SHA512144f030693bcf3538096dc04f15c667ebe40a94688697136b562237f06249bb17a973a75b884affa1f2ab39c98aa578d20ad8296ce1fb08da67cc81ed2c353e4
-
Filesize
899B
MD59ddafb42c89df0c50cde3e1035da49fc
SHA155c8dae41068a4b03bd428021cb5e09be007c03e
SHA256378e178426868fd3088a53d5a123569e827cd1d674aeaa4fd1851ff75b35c857
SHA512fcd1427ac2686c4adb54c64afefde3fc5f401d2b6c55005deeac10a9992535d60bc4745b0f564baef15df89b1fd7a157d726cd784ca8cdf8a231e9c022cae9c4
-
Filesize
899B
MD512d392d64788e55919746bc0fd76fca6
SHA10ed68e1ad7d77d058c39833b88895779759d6470
SHA256d3635a91272bc60a8d2c37b9911354c7d88a9011085107880fe4fce293cff4ac
SHA5129a5ba7e1285cd6790ee68c6706bdadb9381ff4161f2f59dfb5d8255fb54231b2785f813b3c4bb1afdab18c8a07a1a1ca5e2967ebf08275f7b612e4ba9cc4341e
-
Filesize
899B
MD5dc6a335e636174eca9d134144796eb78
SHA12fdef02f4355c61fcb2125b1ff1e58a9ed895066
SHA256c7cb62d25e96af99969cf747d2f851f02a545b6d25b4442a0e935aba2518c337
SHA51288f52ae8435422daa39ed6ce9366993a366aac851744fc4e7fd7dfc2849f03bb78e007447ce3bf2394f5342ddc9fb32895d65016432934c7d9ede93523598af7
-
Filesize
899B
MD5631db612fc06a605b96377e10490a4b2
SHA1a04b69d45ad9277e6aa50b78597cd388fab79cbb
SHA256ed8ccd76181fd5ffd706b834e65fd803b23ac31b4e83a50adc6733a01d29bf20
SHA5126309bc44344bf18383f8920fe399f530140b0877af1fe45d1d3e494819c1ec29a17809c8e9714f1f1012a28625f74ef545c336b6e46059ab6939a3b8ddb0b535
-
Filesize
899B
MD53a4fb597fe124a1ae2ade0033ee1a78a
SHA1a376ba69f27ff5391fb6a864e7099806f90257de
SHA256e987bc9b1b024908ea59d53e1539b8ee29d8949acde35573624a5c88e397ee2d
SHA512a754f9b17d37fb7e4a2fcc965ae2bd53347f5bc1563b8f208d511f20b75cd9bbacb08be5c1940f2e13bc7feb37fbaa081c661cc632ff382b79146758bf1a0ce6
-
Filesize
97KB
MD5f723f13d2c45d43e51cf5c7cef35b8f2
SHA16627295d5aae4375dc04c8dc112b98217a3f8949
SHA256fe26cae1b53e13b15ecc4dbf06840a379f167849cddaa93bd359a994a45944bf
SHA512271775a177f293071a0665c4eff2faced8716dcb49c87f3035440bc6c41aca84aa38a9681e8800822bc8f2ddd50abe677c262dbdcf3f6282da46ce3e1bd82eb4