Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
09-02-2025 12:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
General
-
Target
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
-
Size
11.2MB
-
MD5
a429e4925084ffe2bf3b86219a3e4d97
-
SHA1
472f6701f1f6d531b3dd3cce282c3593bd1037ee
-
SHA256
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c
-
SHA512
674a9691aae070698ba6277f13499088fa9b5759e2a07aeb46c228512b23aa5a7c49cd7ee950471d43676712195e4578b407e5fb17642c307166301a2dbe6b99
-
SSDEEP
196608:4IJaU6Vz0Yq/xBWFU28OYcRSh4eZ02d1Cargnap4LWUvJ0kjpdGThgy/0Z+ZPu:/F6yZWU28PW0LN7pwvb8TB0Im
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 44 4512 Process not Found 53 4664 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 4888 DeltaForceMiniloader.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Enumerates connected drives 3 TTPs 43 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: DeltaForceMiniloader.exe File opened (read-only) \??\Y: DeltaForceMiniloader.exe File opened (read-only) \??\U: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\L: DeltaForceMiniloader.exe File opened (read-only) \??\O: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\S: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Y: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Z: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Q: DeltaForceMiniloader.exe File opened (read-only) \??\R: DeltaForceMiniloader.exe File opened (read-only) \??\V: DeltaForceMiniloader.exe File opened (read-only) \??\I: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\L: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\E: DeltaForceMiniloader.exe File opened (read-only) \??\P: DeltaForceMiniloader.exe File opened (read-only) \??\X: DeltaForceMiniloader.exe File opened (read-only) \??\Z: DeltaForceMiniloader.exe File opened (read-only) \??\G: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\G: DeltaForceMiniloader.exe File opened (read-only) \??\J: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\V: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\X: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\F: DeltaForceMiniloader.exe File opened (read-only) \??\H: DeltaForceMiniloader.exe File opened (read-only) \??\M: DeltaForceMiniloader.exe File opened (read-only) \??\U: DeltaForceMiniloader.exe File opened (read-only) \??\R: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\E: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\H: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\K: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\K: DeltaForceMiniloader.exe File opened (read-only) \??\N: DeltaForceMiniloader.exe File opened (read-only) \??\O: DeltaForceMiniloader.exe File opened (read-only) \??\S: DeltaForceMiniloader.exe File opened (read-only) \??\T: DeltaForceMiniloader.exe File opened (read-only) \??\M: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\N: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Q: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\T: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\W: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\J: DeltaForceMiniloader.exe File opened (read-only) \??\W: DeltaForceMiniloader.exe File opened (read-only) \??\P: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification F:\autorun.inf 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
resource yara_rule behavioral2/memory/4568-1-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-4-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-6-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-5-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-7-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-9-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-17-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-13-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-8-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-3-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-26-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-27-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-37-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-42-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-43-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-45-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-46-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-47-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-49-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-51-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-57-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-58-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-62-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-64-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-66-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-68-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-75-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-77-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-79-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-81-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-83-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-85-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-87-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-89-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-91-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-92-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-96-0x00000000022A0000-0x000000000332E000-memory.dmp upx behavioral2/memory/4568-98-0x00000000022A0000-0x000000000332E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeltaForceMiniloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2136 MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4888 DeltaForceMiniloader.exe 4888 DeltaForceMiniloader.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4888 DeltaForceMiniloader.exe 4888 DeltaForceMiniloader.exe 4888 DeltaForceMiniloader.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4888 DeltaForceMiniloader.exe 4888 DeltaForceMiniloader.exe 4888 DeltaForceMiniloader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4888 DeltaForceMiniloader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4568 wrote to memory of 792 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 4568 wrote to memory of 796 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 10 PID 4568 wrote to memory of 388 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 PID 4568 wrote to memory of 2568 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 42 PID 4568 wrote to memory of 2584 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 43 PID 4568 wrote to memory of 2684 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 46 PID 4568 wrote to memory of 3456 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 55 PID 4568 wrote to memory of 3668 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 57 PID 4568 wrote to memory of 3860 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 58 PID 4568 wrote to memory of 4004 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 59 PID 4568 wrote to memory of 4068 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 60 PID 4568 wrote to memory of 2840 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 61 PID 4568 wrote to memory of 4120 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 62 PID 4568 wrote to memory of 3800 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 75 PID 4568 wrote to memory of 5080 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 76 PID 4568 wrote to memory of 3276 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 82 PID 4568 wrote to memory of 5016 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 83 PID 4568 wrote to memory of 4888 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 89 PID 4568 wrote to memory of 4888 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 89 PID 4568 wrote to memory of 4888 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 89 PID 4568 wrote to memory of 792 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 4568 wrote to memory of 796 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 10 PID 4568 wrote to memory of 388 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 PID 4568 wrote to memory of 2568 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 42 PID 4568 wrote to memory of 2584 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 43 PID 4568 wrote to memory of 2684 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 46 PID 4568 wrote to memory of 3456 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 55 PID 4568 wrote to memory of 3668 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 57 PID 4568 wrote to memory of 3860 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 58 PID 4568 wrote to memory of 4004 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 59 PID 4568 wrote to memory of 4068 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 60 PID 4568 wrote to memory of 2840 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 61 PID 4568 wrote to memory of 4120 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 62 PID 4568 wrote to memory of 3800 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 75 PID 4568 wrote to memory of 5080 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 76 PID 4568 wrote to memory of 3276 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 82 PID 4568 wrote to memory of 5016 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 83 PID 4568 wrote to memory of 4360 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 87 PID 4568 wrote to memory of 2820 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 88 PID 4568 wrote to memory of 4888 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 89 PID 4568 wrote to memory of 4888 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 89 PID 4568 wrote to memory of 792 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 4568 wrote to memory of 796 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 10 PID 4568 wrote to memory of 388 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 PID 4568 wrote to memory of 2568 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 42 PID 4568 wrote to memory of 2584 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 43 PID 4568 wrote to memory of 2684 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 46 PID 4568 wrote to memory of 3456 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 55 PID 4568 wrote to memory of 3668 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 57 PID 4568 wrote to memory of 3860 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 58 PID 4568 wrote to memory of 4004 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 59 PID 4568 wrote to memory of 4068 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 60 PID 4568 wrote to memory of 2840 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 61 PID 4568 wrote to memory of 4120 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 62 PID 4568 wrote to memory of 3800 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 75 PID 4568 wrote to memory of 5080 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 76 PID 4568 wrote to memory of 3276 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 82 PID 4568 wrote to memory of 5016 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 83 PID 4568 wrote to memory of 4360 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 87 PID 4568 wrote to memory of 2820 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 88 PID 4568 wrote to memory of 792 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 9 PID 4568 wrote to memory of 796 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 10 PID 4568 wrote to memory of 388 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 13 PID 4568 wrote to memory of 2568 4568 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 42 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2584
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe"C:\Users\Admin\AppData\Local\Temp\0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4568 -
C:\Users\Admin\AppData\Local\DeltaForceMiniloader\DeltaForceMiniloader.exe"C:\Users\Admin\AppData\Local\DeltaForceMiniloader\DeltaForceMiniloader.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4888
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3860
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4068
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5080
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3276
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4360
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2820
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkM3NUM2NDEtMUFDOC00MDI5LUIwQkQtREFBNTA1Qjc1OEUzfSIgdXNlcmlkPSJ7OTE3ODU1RTAtMDYxOS00QzQ0LThGMjgtNUYzRDgwMzUzODIyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUU4QTA0M0UtNjkxNi00QURELUFCNjEtOUM5QzczMERENDg5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTE5NTgzMzI3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2136
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD5ee5ef0b4228a3368865d09d356e1f425
SHA11de28e6a6d1001244a18769eac87fe2ab57466a8
SHA256575f63d837599be48eb726134df9494bf82284ef8813f90ec00d825b041700dd
SHA512a1a3ca6adcb46e4d6dea9d81edecfa1ec8a855f0d11565ae323f2a4329bd1ed1b7ee102810a5a618cd1c838a7647cfafc5b9a23ca13ed2a98a7e9e82a799a197
-
Filesize
113B
MD51e8cf5946a37d9a084be613554260815
SHA194b5aee19918d59c83785ac27de9c7c076f12091
SHA256e8a59173f505dbedf4dd37eec210e5e539a243e46f521a8ba8d2ec13fd99d29f
SHA512abe7ebaf55dbccb4fc8c1a39c36427f381568642dde0855208244133cae23dbca7a8776c3b67303673413ed6047574e22e349697bfb22fe5f9395bcf86f8a2cb
-
Filesize
3KB
MD57b1a58ee33bfd46ac14b53065e1e038d
SHA13e50ff8f61cc67d96fd03bf34e4861d5852c8da7
SHA256eeb9c9a561a7ab10b88d6b02647604f058c431958bd0c785cd089e046352e746
SHA5121abbe6e9281788d7cfb53d064af9937241a5bd226c0379bc8737a02e3d96374444697f9d852da8c11c9238e966de87293332d1e28f40d0017a869a279c94669c
-
Filesize
101KB
MD5468473588388a174c9968053481445ee
SHA1391242deaa09813b216c02a5f60bbd9420110a93
SHA256bfe07e37fedd7c2d73f75711ef84a04f0d14709d8a0827541d4257ec6c78946e
SHA512fddfc866dc64e6dc8ef5ddd82b6ae067b168a7dfbc0caf7b0dbdaf9f34dda2c3210e4ee6ede74819cee41405d2568639cfe2e36bbc1b61fca119ffdb5aac6722
-
Filesize
2.7MB
MD583afc082ed4de70d47be303d4f2b4c94
SHA130b3b74fe543c07568eff1c4330481857f08a534
SHA2563741b6216f5b0c779cc0c2a4c2400b89f4a5526d785f0b4dc542a5da2a7aa234
SHA5127513995574b643cf6527f61b32f22cfd3e6eabdac6ebec8b80ac6084e7d1a560cb526dcac1c2b5b1466b7ad5fc4b814f37f039f10d2340ea7f208997b5a53eea
-
Filesize
100KB
MD5b63ae88dd8f5417d0b0893816d16ec03
SHA1f2d9acdd4bbeceaf8618e201e308a6124b78d109
SHA2560e30f2877d3ab8e377fc17ee8cca65ccc53ef65d80046a454d0aae35007a437d
SHA512ab5cc4e5516e57ec4154055a99b63440f86b9ee3e6f423ecde754505572c9fa88d641d08b666f6ff3df22e7ffd6c3d98a1debb16c0154bf2f725083b79dce725