Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 04:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
General
-
Target
f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe
-
Size
1.2MB
-
MD5
2c73ddb33c7d5b00141a855fa75f41a6
-
SHA1
b0c99c382bb4088aea00f6a3e33b4585e82691e7
-
SHA256
f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93
-
SHA512
db28f4be1cd33ba627725d4029bd89d55f979cdc1ecd409166276585dc84f739ed7b3407c8dddce1103eb18617f666ee89f114f2c56731907683a717e2d0d82b
-
SSDEEP
24576:C8+8EL5BMYsVNRV59BuiJqueyyGmGanfGXXvriy2dYCf6Yq41twdKv1KxckwF7hO:C8A0NRV59BuiJqueyyGmGanfGXXvriyT
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\O: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\W: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\P: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\R: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\T: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\U: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\V: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\G: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\I: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\L: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\Y: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\Z: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\N: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\S: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\J: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\K: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\M: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\E: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\Q: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened (read-only) \??\X: f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification F:\autorun.inf f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
resource yara_rule behavioral2/memory/2136-1-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-4-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-5-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-16-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-18-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-20-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-12-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-6-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-3-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-13-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-21-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-22-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-23-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-24-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-25-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-26-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-28-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-29-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-81-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-83-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-85-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-87-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-89-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-92-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-93-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-157-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-158-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-161-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-215-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-217-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-219-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-221-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-223-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-225-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-227-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-228-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-287-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-289-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/2136-291-0x00000000024B0000-0x000000000356A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\7-Zip\7zG.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\7-Zip\7z.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57abff f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe File opened for modification C:\Windows\SYSTEM.INI f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe Token: SeDebugPrivilege 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 784 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 8 PID 2136 wrote to memory of 792 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 2136 wrote to memory of 316 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 2136 wrote to memory of 2648 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 44 PID 2136 wrote to memory of 2672 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 45 PID 2136 wrote to memory of 2744 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 47 PID 2136 wrote to memory of 3508 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 2136 wrote to memory of 3684 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 2136 wrote to memory of 3864 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 2136 wrote to memory of 3960 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 2136 wrote to memory of 4024 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 2136 wrote to memory of 1000 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 2136 wrote to memory of 3944 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 2136 wrote to memory of 4620 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 64 PID 2136 wrote to memory of 2304 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 76 PID 2136 wrote to memory of 808 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 77 PID 2136 wrote to memory of 2696 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 82 PID 2136 wrote to memory of 784 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 8 PID 2136 wrote to memory of 792 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 2136 wrote to memory of 316 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 2136 wrote to memory of 2648 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 44 PID 2136 wrote to memory of 2672 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 45 PID 2136 wrote to memory of 2744 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 47 PID 2136 wrote to memory of 3508 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 2136 wrote to memory of 3684 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 2136 wrote to memory of 3864 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 2136 wrote to memory of 3960 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 2136 wrote to memory of 4024 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 2136 wrote to memory of 1000 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 2136 wrote to memory of 3944 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 2136 wrote to memory of 4620 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 64 PID 2136 wrote to memory of 2304 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 76 PID 2136 wrote to memory of 808 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 77 PID 2136 wrote to memory of 2696 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 82 PID 2136 wrote to memory of 784 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 8 PID 2136 wrote to memory of 792 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 2136 wrote to memory of 316 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 2136 wrote to memory of 2648 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 44 PID 2136 wrote to memory of 2672 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 45 PID 2136 wrote to memory of 2744 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 47 PID 2136 wrote to memory of 3508 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 2136 wrote to memory of 3684 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 2136 wrote to memory of 3864 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 2136 wrote to memory of 3960 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 2136 wrote to memory of 4024 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 2136 wrote to memory of 1000 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 2136 wrote to memory of 3944 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 2136 wrote to memory of 4620 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 64 PID 2136 wrote to memory of 2304 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 76 PID 2136 wrote to memory of 808 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 77 PID 2136 wrote to memory of 784 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 8 PID 2136 wrote to memory of 792 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 9 PID 2136 wrote to memory of 316 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 13 PID 2136 wrote to memory of 2648 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 44 PID 2136 wrote to memory of 2672 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 45 PID 2136 wrote to memory of 2744 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 47 PID 2136 wrote to memory of 3508 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 56 PID 2136 wrote to memory of 3684 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 57 PID 2136 wrote to memory of 3864 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 58 PID 2136 wrote to memory of 3960 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 59 PID 2136 wrote to memory of 4024 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 60 PID 2136 wrote to memory of 1000 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 61 PID 2136 wrote to memory of 3944 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 62 PID 2136 wrote to memory of 4620 2136 f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe 64 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2744
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe"C:\Users\Admin\AppData\Local\Temp\f7090c7e2b3a4b84806b92b33b31ab5eb3b2f3578f41eebe1c99782e3f17bb93.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3684
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4620
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2304
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:808
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
899B
MD58051cb974e473e640b5cebae88774c8b
SHA159577a666cbea023c583ff808fd3a99621f84f23
SHA2566077566eb3f9e2ccffca1ea7a113dbd56b7fbb5a4b5a5d6f06d2b4e9269d6ce4
SHA512af1ccf234bba29c640ff1f1c6dedc6f63ed39b0351023cb75539bc8c89d1253e82b64c9c3512c7af0a020d91d5e9d442b26c75ec0682ac2f7d8d4e54c91335af
-
Filesize
899B
MD5c8f852c08083803f5235711fc31c9ce8
SHA182ba22243c0c7b83653c5cdabc06c10d76fc4caa
SHA256ac50ca836e793a43757fbbf2f4511f7fb426a9a6bebf24fc1ca257f516ae6d1b
SHA512c9c41b900910c0b0249932081da4a7e84ae550fbed9a566a89661254b4c3cb732c8f575ff8fb16919c43a5bc2bbc666aae3d06ce6c29f8da1aea064f5c6c2077
-
Filesize
899B
MD5e1ba99a8ae393fbf6fa8c34df07269db
SHA1f6011102a3d21bd4bb05f9c75572ecbe52544252
SHA256ea203b3419723c791eb4a76f1b3a223b105556839df769ba177354b9d5bc4636
SHA5120166ebb1a9c7c2b7806311f83aee72836583a9ac42373f89de736d1bdf0b30083a2118479ef6ccf6db5c344b2c9609e70defc0ce5f2197e3cccaf22d9ad7c685
-
Filesize
899B
MD5aa8249ef3b00a141d46ba183d8b36977
SHA18ae57973a5b6d564b5d7a5ab4b24cd16e099eb9c
SHA256b26dce4408f45240a207c1b266d3c8ad7e8207d3c810c9ee5253ea7528966a1a
SHA51284d220a385e1ae0fb1ad8b53ed2dc2efd2c3f22e734a28c109c1981b621708c6640f5250de6a0f27884f9505ba6edacdbdef777dbb89cec9fbb778f0bdc36d7b
-
Filesize
899B
MD5d0185db1e709cd2188b6d7bbec694b04
SHA139e75da074fdf235536f358836eb686a773dfff0
SHA2568a04746cd4388584d66ee2bafff2d04abef68e95f8e6d0557552119ea08e190e
SHA5127b9fc23ea502c73043602cf23b0df8f1d85511e6a4ae2b1fff46c77f3a33c1752006bdb3a89c26943cef7dea2a654c7bc359c5c2ea0e2f1402a0e2ce5f98cb81
-
Filesize
899B
MD5464529bbff552a2d2b21e0d4e4a10d95
SHA1aa43f86a3c0ef61f1ad0292734738d23882b2c41
SHA2561b26144883f75a7d92e733922c5752cd421e92a3e3621609be42aab8674605d3
SHA512e79b714ff76180ae3064726b25f034b12b04c8b49715c5c97657f10e60e558ea3d40dce8618182e4a479214511b947865bc1d663b7c5a11cc08d508febfb9f99
-
Filesize
899B
MD50a941cd9f8dd69fbc6611b3e88266d77
SHA13f7d7103de1480950ff01c55a8be036bbc9e8720
SHA2568ab4737aba25ebadd232d36bf99719b63535d540e82b01f2816f42e07291e1ae
SHA512f2fd5c4ccbc837ca67c1c9593c07147da0d63ae9d1fce5461c9e29aa8869a058d60aa98f13893a1ca174a49bd2a0510d6c3e54b4319760d7a49f2c7bff775fa6
-
Filesize
899B
MD55f032a0ee395dcbe248c607fdc48ee47
SHA1e2bd0bfcb6f3f8d5766bfb2c4074bedb6c0cf71f
SHA2569466f1355c4a777ff7e368aaa0561589b914d5c10eedead22e6ab0a2d72a7a91
SHA512ee0658dda803bf2d8937b960119e4e37c6b9a710b8bf1948bc4c1f21a62f83a23844920fdeba7bfc77ec66b4993c75dc5d956217b7609ab2ae27a6b861c4b3bc
-
Filesize
899B
MD53283fcf3cb3cd4aa5fb7489e8d98b025
SHA1aff6ff11b6cebba549fec4cf5e9e0c9192db8cfd
SHA2569526fee6ba0e10a46a1f78b6365869b33b6e48eab5efa9e5de6adcfc98715302
SHA512f3a58094fb68ccbd46c2ff7120ac40df405e211d555a7a2b1d6d91b3c7fedfd5ef17973ec7329fc0d49282ed67ae929d24199802a042d708a688e6c8a3685fe5
-
Filesize
97KB
MD5946c8a70bb8d62d5c99a7aef575ec00a
SHA1d27d082f0589ff0eb114875973c81a262ad4135b
SHA256d5cb725363bdf7b1ee3949da6cb7e29fdb8e6cb422c4c4c84660c2da880ae0d4
SHA5121fad99f4c0b039e840a3d8117218949685384408530d5d61768a928599f9850e839b3d885bb59a6eb287d4b3251f6b50a61a06d43d01474dec9d627f62603a60