Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
ea9fc82a8e9f6a12d560abd29ce254f0N.dll
Resource
win7-20240903-en
General
-
Target
ea9fc82a8e9f6a12d560abd29ce254f0N.dll
-
Size
120KB
-
MD5
ea9fc82a8e9f6a12d560abd29ce254f0
-
SHA1
460369833910f1e9c57bb23f7143f4175c5a3367
-
SHA256
b05f557767f39cab362f088c7544a50475a9c4900889da75791a0f9bbf5eb430
-
SHA512
9a4f10c5087268cf98413d63c2a529507682fb51a47a955ecd3bf164137b8bc9d6c3c129720809912bf520403039f229363cfca10f09d4b0ad54e2cf76ca9db6
-
SSDEEP
3072:Hq3rcWdKuU90PBdBXOroxc4Ls1oLMtkEb0i:KQWUyXBXOelfAtkU
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e3f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e3f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e3f7.exe -
Executes dropped EXE 3 IoCs
pid Process 4548 e57bff4.exe 1588 e57c15c.exe 4704 e57e3f7.exe -
resource yara_rule behavioral2/memory/4548-6-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-9-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-8-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-11-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-10-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-12-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-23-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-22-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-30-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-35-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-31-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-36-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-37-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-38-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-39-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-41-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-50-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-51-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-62-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-63-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-65-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-68-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-69-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-71-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-77-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-78-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-81-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-83-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4548-99-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4704-118-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/4704-121-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e3f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e3f7.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57bff4.exe File opened (read-only) \??\I: e57bff4.exe File opened (read-only) \??\J: e57bff4.exe File opened (read-only) \??\K: e57bff4.exe File opened (read-only) \??\L: e57bff4.exe File opened (read-only) \??\M: e57bff4.exe File opened (read-only) \??\E: e57bff4.exe File opened (read-only) \??\N: e57bff4.exe File opened (read-only) \??\O: e57bff4.exe File opened (read-only) \??\P: e57bff4.exe File opened (read-only) \??\Q: e57bff4.exe File opened (read-only) \??\G: e57bff4.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57bff4.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57bff4.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57bff4.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c071 e57bff4.exe File opened for modification C:\Windows\SYSTEM.INI e57bff4.exe File created C:\Windows\e583285 e57e3f7.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c15c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e3f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bff4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4548 e57bff4.exe 4548 e57bff4.exe 4548 e57bff4.exe 4548 e57bff4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe Token: SeDebugPrivilege 4548 e57bff4.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 988 wrote to memory of 2216 988 rundll32.exe 85 PID 988 wrote to memory of 2216 988 rundll32.exe 85 PID 988 wrote to memory of 2216 988 rundll32.exe 85 PID 2216 wrote to memory of 4548 2216 rundll32.exe 86 PID 2216 wrote to memory of 4548 2216 rundll32.exe 86 PID 2216 wrote to memory of 4548 2216 rundll32.exe 86 PID 4548 wrote to memory of 780 4548 e57bff4.exe 8 PID 4548 wrote to memory of 788 4548 e57bff4.exe 9 PID 4548 wrote to memory of 380 4548 e57bff4.exe 13 PID 4548 wrote to memory of 2512 4548 e57bff4.exe 42 PID 4548 wrote to memory of 2536 4548 e57bff4.exe 43 PID 4548 wrote to memory of 2640 4548 e57bff4.exe 45 PID 4548 wrote to memory of 3368 4548 e57bff4.exe 56 PID 4548 wrote to memory of 3628 4548 e57bff4.exe 57 PID 4548 wrote to memory of 3800 4548 e57bff4.exe 58 PID 4548 wrote to memory of 3916 4548 e57bff4.exe 59 PID 4548 wrote to memory of 3980 4548 e57bff4.exe 60 PID 4548 wrote to memory of 4068 4548 e57bff4.exe 61 PID 4548 wrote to memory of 3552 4548 e57bff4.exe 62 PID 4548 wrote to memory of 2604 4548 e57bff4.exe 74 PID 4548 wrote to memory of 456 4548 e57bff4.exe 76 PID 4548 wrote to memory of 2992 4548 e57bff4.exe 83 PID 4548 wrote to memory of 988 4548 e57bff4.exe 84 PID 4548 wrote to memory of 2216 4548 e57bff4.exe 85 PID 4548 wrote to memory of 2216 4548 e57bff4.exe 85 PID 2216 wrote to memory of 1588 2216 rundll32.exe 87 PID 2216 wrote to memory of 1588 2216 rundll32.exe 87 PID 2216 wrote to memory of 1588 2216 rundll32.exe 87 PID 2216 wrote to memory of 4704 2216 rundll32.exe 91 PID 2216 wrote to memory of 4704 2216 rundll32.exe 91 PID 2216 wrote to memory of 4704 2216 rundll32.exe 91 PID 4548 wrote to memory of 780 4548 e57bff4.exe 8 PID 4548 wrote to memory of 788 4548 e57bff4.exe 9 PID 4548 wrote to memory of 380 4548 e57bff4.exe 13 PID 4548 wrote to memory of 2512 4548 e57bff4.exe 42 PID 4548 wrote to memory of 2536 4548 e57bff4.exe 43 PID 4548 wrote to memory of 2640 4548 e57bff4.exe 45 PID 4548 wrote to memory of 3368 4548 e57bff4.exe 56 PID 4548 wrote to memory of 3628 4548 e57bff4.exe 57 PID 4548 wrote to memory of 3800 4548 e57bff4.exe 58 PID 4548 wrote to memory of 3916 4548 e57bff4.exe 59 PID 4548 wrote to memory of 3980 4548 e57bff4.exe 60 PID 4548 wrote to memory of 4068 4548 e57bff4.exe 61 PID 4548 wrote to memory of 3552 4548 e57bff4.exe 62 PID 4548 wrote to memory of 2604 4548 e57bff4.exe 74 PID 4548 wrote to memory of 456 4548 e57bff4.exe 76 PID 4548 wrote to memory of 2992 4548 e57bff4.exe 83 PID 4548 wrote to memory of 1588 4548 e57bff4.exe 87 PID 4548 wrote to memory of 1588 4548 e57bff4.exe 87 PID 4548 wrote to memory of 2212 4548 e57bff4.exe 89 PID 4548 wrote to memory of 4236 4548 e57bff4.exe 90 PID 4548 wrote to memory of 4704 4548 e57bff4.exe 91 PID 4548 wrote to memory of 4704 4548 e57bff4.exe 91 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e3f7.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2536
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2640
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3368
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea9fc82a8e9f6a12d560abd29ce254f0N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea9fc82a8e9f6a12d560abd29ce254f0N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\e57bff4.exeC:\Users\Admin\AppData\Local\Temp\e57bff4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\e57c15c.exeC:\Users\Admin\AppData\Local\Temp\e57c15c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\e57e3f7.exeC:\Users\Admin\AppData\Local\Temp\e57e3f7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:4704
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3628
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3552
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:456
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2212
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4236
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57dcfddf2762f2ebb16c6000f9b7aaad5
SHA1eb8f85d171c080bf9e4654aa50b00da342a5d8f9
SHA25616a6ac8deb5f9e0cfc20b3a07d073bd77c67456ff955188fbacbe997e8c77304
SHA512feb3cb55026915e715c845fab315900d693283ff89f3f5436b8414ae8c5ed34369424ea8bb36b0f0dee422627597d7b94ed3fd07f960f24f54bded64467e01f6
-
Filesize
257B
MD5e51bc22eef364a4a1e5b418ebdde8a58
SHA1507a8ac4c5087f3446fbeb5eb146bfd4c8e47365
SHA25640c5ee117a8a4eaa2cf41229c1ebe4a18d92d03d2f8280319cf3a681a30332c4
SHA5124cdbff9fa39fea5299547acfc117dfc3d4050c9f87fb2b874049eb486af62c654e1cbc38b2d8e83ab39953a63d4497d61055447d554cc5d91cabc43d9d4a7aca