Analysis
-
max time kernel
148s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 20:14
Static task
static1
Behavioral task
behavioral1
Sample
eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14.dll
Resource
win7-20240221-en
General
-
Target
eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14.dll
-
Size
120KB
-
MD5
27042f56e7b30ffabd3dc5251f673930
-
SHA1
473077f2a7a985d6853c01f091e5884cb7cdfd4e
-
SHA256
eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14
-
SHA512
a74f0a315e497f09d753a05a2f4a52bdacdd7c93cb7e696715ea75b5f060d2957d26cb4f805ddc146fd98f330786184a7ad313fd98345f1c6e47d8c149e1a66c
-
SSDEEP
3072:v1TEbizIKxzr6tiDeccQdBrTIAvw3wCsczANu/:pzB+WeT0rC3zK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e57736b.exee574d93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57736b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57736b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574d93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574d93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574d93.exe -
Processes:
e574d93.exee57736b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57736b.exe -
Processes:
e574d93.exee57736b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574d93.exe -
Executes dropped EXE 3 IoCs
Processes:
e574d93.exee574efb.exee57736b.exepid process 1944 e574d93.exe 1656 e574efb.exe 1252 e57736b.exe -
Processes:
resource yara_rule behavioral2/memory/1944-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-18-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-30-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-28-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-58-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-63-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-66-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-67-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-69-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-73-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1944-75-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1252-115-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e57736b.exee574d93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574d93.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574d93.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57736b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574d93.exe -
Processes:
e574d93.exee57736b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57736b.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574d93.exedescription ioc process File opened (read-only) \??\E: e574d93.exe File opened (read-only) \??\G: e574d93.exe File opened (read-only) \??\K: e574d93.exe File opened (read-only) \??\L: e574d93.exe File opened (read-only) \??\M: e574d93.exe File opened (read-only) \??\H: e574d93.exe File opened (read-only) \??\I: e574d93.exe File opened (read-only) \??\J: e574d93.exe File opened (read-only) \??\N: e574d93.exe -
Drops file in Windows directory 3 IoCs
Processes:
e574d93.exee57736b.exedescription ioc process File created C:\Windows\e574df1 e574d93.exe File opened for modification C:\Windows\SYSTEM.INI e574d93.exe File created C:\Windows\e57c1f8 e57736b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e574d93.exepid process 1944 e574d93.exe 1944 e574d93.exe 1944 e574d93.exe 1944 e574d93.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574d93.exedescription pid process Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe Token: SeDebugPrivilege 1944 e574d93.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
rundll32.exerundll32.exee574d93.exedescription pid process target process PID 4588 wrote to memory of 1356 4588 rundll32.exe rundll32.exe PID 4588 wrote to memory of 1356 4588 rundll32.exe rundll32.exe PID 4588 wrote to memory of 1356 4588 rundll32.exe rundll32.exe PID 1356 wrote to memory of 1944 1356 rundll32.exe e574d93.exe PID 1356 wrote to memory of 1944 1356 rundll32.exe e574d93.exe PID 1356 wrote to memory of 1944 1356 rundll32.exe e574d93.exe PID 1944 wrote to memory of 784 1944 e574d93.exe fontdrvhost.exe PID 1944 wrote to memory of 788 1944 e574d93.exe fontdrvhost.exe PID 1944 wrote to memory of 336 1944 e574d93.exe dwm.exe PID 1944 wrote to memory of 2648 1944 e574d93.exe sihost.exe PID 1944 wrote to memory of 2848 1944 e574d93.exe svchost.exe PID 1944 wrote to memory of 2796 1944 e574d93.exe taskhostw.exe PID 1944 wrote to memory of 3452 1944 e574d93.exe Explorer.EXE PID 1944 wrote to memory of 3552 1944 e574d93.exe svchost.exe PID 1944 wrote to memory of 3748 1944 e574d93.exe DllHost.exe PID 1944 wrote to memory of 3844 1944 e574d93.exe StartMenuExperienceHost.exe PID 1944 wrote to memory of 3904 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 3996 1944 e574d93.exe SearchApp.exe PID 1944 wrote to memory of 3512 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 2272 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 3956 1944 e574d93.exe TextInputHost.exe PID 1944 wrote to memory of 2092 1944 e574d93.exe backgroundTaskHost.exe PID 1944 wrote to memory of 2768 1944 e574d93.exe backgroundTaskHost.exe PID 1944 wrote to memory of 4588 1944 e574d93.exe rundll32.exe PID 1944 wrote to memory of 1356 1944 e574d93.exe rundll32.exe PID 1944 wrote to memory of 1356 1944 e574d93.exe rundll32.exe PID 1356 wrote to memory of 1656 1356 rundll32.exe e574efb.exe PID 1356 wrote to memory of 1656 1356 rundll32.exe e574efb.exe PID 1356 wrote to memory of 1656 1356 rundll32.exe e574efb.exe PID 1356 wrote to memory of 1252 1356 rundll32.exe e57736b.exe PID 1356 wrote to memory of 1252 1356 rundll32.exe e57736b.exe PID 1356 wrote to memory of 1252 1356 rundll32.exe e57736b.exe PID 1944 wrote to memory of 784 1944 e574d93.exe fontdrvhost.exe PID 1944 wrote to memory of 788 1944 e574d93.exe fontdrvhost.exe PID 1944 wrote to memory of 336 1944 e574d93.exe dwm.exe PID 1944 wrote to memory of 2648 1944 e574d93.exe sihost.exe PID 1944 wrote to memory of 2848 1944 e574d93.exe svchost.exe PID 1944 wrote to memory of 2796 1944 e574d93.exe taskhostw.exe PID 1944 wrote to memory of 3452 1944 e574d93.exe Explorer.EXE PID 1944 wrote to memory of 3552 1944 e574d93.exe svchost.exe PID 1944 wrote to memory of 3748 1944 e574d93.exe DllHost.exe PID 1944 wrote to memory of 3844 1944 e574d93.exe StartMenuExperienceHost.exe PID 1944 wrote to memory of 3904 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 3996 1944 e574d93.exe SearchApp.exe PID 1944 wrote to memory of 3512 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 2272 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 3956 1944 e574d93.exe TextInputHost.exe PID 1944 wrote to memory of 2092 1944 e574d93.exe backgroundTaskHost.exe PID 1944 wrote to memory of 2768 1944 e574d93.exe backgroundTaskHost.exe PID 1944 wrote to memory of 1656 1944 e574d93.exe e574efb.exe PID 1944 wrote to memory of 1656 1944 e574d93.exe e574efb.exe PID 1944 wrote to memory of 2640 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 2844 1944 e574d93.exe RuntimeBroker.exe PID 1944 wrote to memory of 1252 1944 e574d93.exe e57736b.exe PID 1944 wrote to memory of 1252 1944 e574d93.exe e57736b.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574d93.exee57736b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574d93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57736b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574d93.exeC:\Users\Admin\AppData\Local\Temp\e574d93.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574efb.exeC:\Users\Admin\AppData\Local\Temp\e574efb.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57736b.exeC:\Users\Admin\AppData\Local\Temp\e57736b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574d93.exeFilesize
97KB
MD57ce4fafacb138d70c7103a92272aff53
SHA1e3ceebce6283be7f4c0b2db998b4f82aebf4fff5
SHA256b7ce269805b7f3fb1bfc61cafd6357c01ab7a37c9fa2d74837404cbfd09cea84
SHA512c3327e15e68eb41db82590e97d46f92f58903b615fa97e5a2dd345eaa0a4627aadb08f71a8692dbcecef93097e3ff148a25b453d2df9de30d79f8e110bd70aaa
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5566dbdfe23731c3d892219fd0d5c933e
SHA1d953cbe239cd01964fc941d050cf29513f43577e
SHA256bb244a493ae80b13169e510b4587962d7ff457dbb3152cb710f15857e98a9fb0
SHA512471b2fae1bccbcb15cdd6fa291bd785860ec9401886fb767de9ca74a7a1a591bc8fb737d3f2128de5e633a4156de521df6bb903727949b11012ae55b8f63289e
-
memory/1252-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1252-115-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1252-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1252-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1252-53-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/1252-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1356-15-0x0000000001140000-0x0000000001142000-memory.dmpFilesize
8KB
-
memory/1356-20-0x0000000003F90000-0x0000000003F91000-memory.dmpFilesize
4KB
-
memory/1356-11-0x0000000001140000-0x0000000001142000-memory.dmpFilesize
8KB
-
memory/1356-19-0x0000000001140000-0x0000000001142000-memory.dmpFilesize
8KB
-
memory/1356-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1656-32-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1656-54-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1656-51-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1656-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1656-96-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1944-39-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-58-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-35-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-36-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-37-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-38-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-34-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-40-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-9-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-28-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-33-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-30-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-31-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1944-18-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-10-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-14-0x0000000003BF0000-0x0000000003BF1000-memory.dmpFilesize
4KB
-
memory/1944-59-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-60-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-62-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-63-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-66-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-67-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-69-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-73-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-85-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1944-75-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-92-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1944-21-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1944-8-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-6-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/1944-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB