Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2025 16:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
Resource
win7-20241010-en
windows7-x64
23 signatures
150 seconds
General
-
Target
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
-
Size
11.2MB
-
MD5
a429e4925084ffe2bf3b86219a3e4d97
-
SHA1
472f6701f1f6d531b3dd3cce282c3593bd1037ee
-
SHA256
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c
-
SHA512
674a9691aae070698ba6277f13499088fa9b5759e2a07aeb46c228512b23aa5a7c49cd7ee950471d43676712195e4578b407e5fb17642c307166301a2dbe6b99
-
SSDEEP
196608:4IJaU6Vz0Yq/xBWFU28OYcRSh4eZ02d1Cargnap4LWUvJ0kjpdGThgy/0Z+ZPu:/F6yZWU28PW0LN7pwvb8TB0Im
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 38 3464 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2516 DeltaForceMiniloader.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Enumerates connected drives 3 TTPs 43 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\W: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\N: DeltaForceMiniloader.exe File opened (read-only) \??\S: DeltaForceMiniloader.exe File opened (read-only) \??\U: DeltaForceMiniloader.exe File opened (read-only) \??\V: DeltaForceMiniloader.exe File opened (read-only) \??\Z: DeltaForceMiniloader.exe File opened (read-only) \??\L: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\M: DeltaForceMiniloader.exe File opened (read-only) \??\Z: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\S: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\T: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\F: DeltaForceMiniloader.exe File opened (read-only) \??\J: DeltaForceMiniloader.exe File opened (read-only) \??\K: DeltaForceMiniloader.exe File opened (read-only) \??\R: DeltaForceMiniloader.exe File opened (read-only) \??\W: DeltaForceMiniloader.exe File opened (read-only) \??\O: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\H: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\M: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\G: DeltaForceMiniloader.exe File opened (read-only) \??\L: DeltaForceMiniloader.exe File opened (read-only) \??\P: DeltaForceMiniloader.exe File opened (read-only) \??\T: DeltaForceMiniloader.exe File opened (read-only) \??\Y: DeltaForceMiniloader.exe File opened (read-only) \??\G: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\V: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Y: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\E: DeltaForceMiniloader.exe File opened (read-only) \??\O: DeltaForceMiniloader.exe File opened (read-only) \??\I: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\J: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\X: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\X: DeltaForceMiniloader.exe File opened (read-only) \??\N: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\R: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\H: DeltaForceMiniloader.exe File opened (read-only) \??\Q: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\U: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\E: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\I: DeltaForceMiniloader.exe File opened (read-only) \??\Q: DeltaForceMiniloader.exe File opened (read-only) \??\K: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification F:\autorun.inf 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
resource yara_rule behavioral2/memory/3140-5-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-6-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-4-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-9-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-11-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-3-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-1-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-14-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-13-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-24-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-25-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-28-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-37-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-38-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-44-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-45-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-47-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-48-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-55-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-56-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-58-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-60-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-64-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-65-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-66-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-67-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-68-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-70-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-72-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-71-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-73-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-76-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-78-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-80-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-81-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-87-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-88-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-90-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-93-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-94-0x0000000002230000-0x00000000032BE000-memory.dmp upx behavioral2/memory/3140-97-0x0000000002230000-0x00000000032BE000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeltaForceMiniloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3200 MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2516 DeltaForceMiniloader.exe 2516 DeltaForceMiniloader.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2516 DeltaForceMiniloader.exe 2516 DeltaForceMiniloader.exe 2516 DeltaForceMiniloader.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2516 DeltaForceMiniloader.exe 2516 DeltaForceMiniloader.exe 2516 DeltaForceMiniloader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2516 DeltaForceMiniloader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3140 wrote to memory of 788 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 8 PID 3140 wrote to memory of 796 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 3140 wrote to memory of 384 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 PID 3140 wrote to memory of 2352 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 52 PID 3140 wrote to memory of 672 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 53 PID 3140 wrote to memory of 3168 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 54 PID 3140 wrote to memory of 3476 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 57 PID 3140 wrote to memory of 3580 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 58 PID 3140 wrote to memory of 3784 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 59 PID 3140 wrote to memory of 3876 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 60 PID 3140 wrote to memory of 3940 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 61 PID 3140 wrote to memory of 4040 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 62 PID 3140 wrote to memory of 4144 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 63 PID 3140 wrote to memory of 3628 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 76 PID 3140 wrote to memory of 1036 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 77 PID 3140 wrote to memory of 4072 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 83 PID 3140 wrote to memory of 4036 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 84 PID 3140 wrote to memory of 5020 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 86 PID 3140 wrote to memory of 2084 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 87 PID 3140 wrote to memory of 2516 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 90 PID 3140 wrote to memory of 2516 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 90 PID 3140 wrote to memory of 2516 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 90 PID 3140 wrote to memory of 788 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 8 PID 3140 wrote to memory of 796 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 3140 wrote to memory of 384 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 PID 3140 wrote to memory of 2352 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 52 PID 3140 wrote to memory of 672 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 53 PID 3140 wrote to memory of 3168 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 54 PID 3140 wrote to memory of 3476 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 57 PID 3140 wrote to memory of 3580 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 58 PID 3140 wrote to memory of 3784 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 59 PID 3140 wrote to memory of 3876 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 60 PID 3140 wrote to memory of 3940 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 61 PID 3140 wrote to memory of 4040 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 62 PID 3140 wrote to memory of 4144 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 63 PID 3140 wrote to memory of 3628 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 76 PID 3140 wrote to memory of 1036 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 77 PID 3140 wrote to memory of 4072 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 83 PID 3140 wrote to memory of 4036 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 84 PID 3140 wrote to memory of 2084 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 87 PID 3140 wrote to memory of 1276 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 89 PID 3140 wrote to memory of 2516 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 90 PID 3140 wrote to memory of 2516 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 90 PID 3140 wrote to memory of 788 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 8 PID 3140 wrote to memory of 796 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 3140 wrote to memory of 384 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 PID 3140 wrote to memory of 2352 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 52 PID 3140 wrote to memory of 672 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 53 PID 3140 wrote to memory of 3168 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 54 PID 3140 wrote to memory of 3476 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 57 PID 3140 wrote to memory of 3580 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 58 PID 3140 wrote to memory of 3784 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 59 PID 3140 wrote to memory of 3876 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 60 PID 3140 wrote to memory of 3940 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 61 PID 3140 wrote to memory of 4040 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 62 PID 3140 wrote to memory of 4144 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 63 PID 3140 wrote to memory of 3628 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 76 PID 3140 wrote to memory of 1036 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 77 PID 3140 wrote to memory of 4072 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 83 PID 3140 wrote to memory of 2084 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 87 PID 3140 wrote to memory of 1276 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 89 PID 3140 wrote to memory of 788 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 8 PID 3140 wrote to memory of 796 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 3140 wrote to memory of 384 3140 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:672
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe"C:\Users\Admin\AppData\Local\Temp\0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3140 -
C:\Users\Admin\AppData\Local\DeltaForceMiniloader\DeltaForceMiniloader.exe"C:\Users\Admin\AppData\Local\DeltaForceMiniloader\DeltaForceMiniloader.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3628
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1036
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4072
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4036
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:5020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1276
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUEwMDJEMzctRTFFNi00RkQxLTlBOUUtQzZENDVGRTA2OUVGfSIgdXNlcmlkPSJ7RkRERTI0QzMtNkZFRS00RjBELUIwNDYtOTFGNzUwREI0QzZBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NkU2NUIwNTItNTM1RS00OUE4LTlGQTItNUY0N0E1RjEyNDQ2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTQxNTQwNDAzIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3200
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2272
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD5ee5ef0b4228a3368865d09d356e1f425
SHA11de28e6a6d1001244a18769eac87fe2ab57466a8
SHA256575f63d837599be48eb726134df9494bf82284ef8813f90ec00d825b041700dd
SHA512a1a3ca6adcb46e4d6dea9d81edecfa1ec8a855f0d11565ae323f2a4329bd1ed1b7ee102810a5a618cd1c838a7647cfafc5b9a23ca13ed2a98a7e9e82a799a197
-
Filesize
113B
MD51e8cf5946a37d9a084be613554260815
SHA194b5aee19918d59c83785ac27de9c7c076f12091
SHA256e8a59173f505dbedf4dd37eec210e5e539a243e46f521a8ba8d2ec13fd99d29f
SHA512abe7ebaf55dbccb4fc8c1a39c36427f381568642dde0855208244133cae23dbca7a8776c3b67303673413ed6047574e22e349697bfb22fe5f9395bcf86f8a2cb
-
Filesize
3KB
MD57b1a58ee33bfd46ac14b53065e1e038d
SHA13e50ff8f61cc67d96fd03bf34e4861d5852c8da7
SHA256eeb9c9a561a7ab10b88d6b02647604f058c431958bd0c785cd089e046352e746
SHA5121abbe6e9281788d7cfb53d064af9937241a5bd226c0379bc8737a02e3d96374444697f9d852da8c11c9238e966de87293332d1e28f40d0017a869a279c94669c
-
Filesize
101KB
MD5468473588388a174c9968053481445ee
SHA1391242deaa09813b216c02a5f60bbd9420110a93
SHA256bfe07e37fedd7c2d73f75711ef84a04f0d14709d8a0827541d4257ec6c78946e
SHA512fddfc866dc64e6dc8ef5ddd82b6ae067b168a7dfbc0caf7b0dbdaf9f34dda2c3210e4ee6ede74819cee41405d2568639cfe2e36bbc1b61fca119ffdb5aac6722
-
Filesize
2.7MB
MD583afc082ed4de70d47be303d4f2b4c94
SHA130b3b74fe543c07568eff1c4330481857f08a534
SHA2563741b6216f5b0c779cc0c2a4c2400b89f4a5526d785f0b4dc542a5da2a7aa234
SHA5127513995574b643cf6527f61b32f22cfd3e6eabdac6ebec8b80ac6084e7d1a560cb526dcac1c2b5b1466b7ad5fc4b814f37f039f10d2340ea7f208997b5a53eea
-
Filesize
100KB
MD53f25a050cef0c93c61722d67d5e39148
SHA1c947f7d3794c7bd8afdbd37cda7325465fdd7075
SHA256763a303db2f4a2e8f471a6168ffcac17dbdad05ccb4a92703daee1f108b2bbc6
SHA512774b427890f18c8c90d4fe5cef02d563038c0c087907c90382f860dadb80b443da3b5321c009944709c410acae5d4f13dddc5d70f4677bae35446f784c51a719