Analysis
-
max time kernel
37s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 04:06
Static task
static1
Behavioral task
behavioral1
Sample
beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll
Resource
win7-20240903-en
General
-
Target
beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll
-
Size
120KB
-
MD5
8bbb208860c62587815d5f43f89e27a0
-
SHA1
7cb46181d64331b69a9f324938adfb4485f1f7ed
-
SHA256
beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cad
-
SHA512
3ea26bab870370b40c9afe21dca6dda5ad1862837ac4743eb9490f3179cd8511d2c4785ad05931fba10d96c8e821d5aac713301e5552c6ae262794f6e1d44389
-
SSDEEP
3072:YRj/iIuUPdInt1iHOr7wgY/FRih3c7YN:lIu4dIt1iiZY9I+8N
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b805.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b805.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57fc52.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fc52.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b805.exe -
Executes dropped EXE 3 IoCs
pid Process 4988 e57b805.exe 4428 e57ba67.exe 4192 e57fc52.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57fc52.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b805.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57fc52.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b805.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57b805.exe File opened (read-only) \??\H: e57b805.exe File opened (read-only) \??\I: e57b805.exe File opened (read-only) \??\E: e57fc52.exe File opened (read-only) \??\G: e57fc52.exe File opened (read-only) \??\H: e57fc52.exe File opened (read-only) \??\E: e57b805.exe -
resource yara_rule behavioral2/memory/4988-6-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-8-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-13-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-21-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-34-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-33-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-35-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-18-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-43-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-44-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-46-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-47-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-56-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-58-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4988-62-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4192-86-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4192-92-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4192-90-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4192-87-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4192-91-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4192-84-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4192-133-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57b805.exe File created C:\Windows\e5823bf e57fc52.exe File created C:\Windows\e57b882 e57b805.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b805.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ba67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57fc52.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4988 e57b805.exe 4988 e57b805.exe 4988 e57b805.exe 4988 e57b805.exe 4192 e57fc52.exe 4192 e57fc52.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe Token: SeDebugPrivilege 4988 e57b805.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 4288 2920 rundll32.exe 84 PID 2920 wrote to memory of 4288 2920 rundll32.exe 84 PID 2920 wrote to memory of 4288 2920 rundll32.exe 84 PID 4288 wrote to memory of 4988 4288 rundll32.exe 85 PID 4288 wrote to memory of 4988 4288 rundll32.exe 85 PID 4288 wrote to memory of 4988 4288 rundll32.exe 85 PID 4988 wrote to memory of 784 4988 e57b805.exe 9 PID 4988 wrote to memory of 792 4988 e57b805.exe 10 PID 4988 wrote to memory of 316 4988 e57b805.exe 13 PID 4988 wrote to memory of 2672 4988 e57b805.exe 44 PID 4988 wrote to memory of 2680 4988 e57b805.exe 45 PID 4988 wrote to memory of 3020 4988 e57b805.exe 51 PID 4988 wrote to memory of 3456 4988 e57b805.exe 56 PID 4988 wrote to memory of 3596 4988 e57b805.exe 57 PID 4988 wrote to memory of 3776 4988 e57b805.exe 58 PID 4988 wrote to memory of 3864 4988 e57b805.exe 59 PID 4988 wrote to memory of 3924 4988 e57b805.exe 60 PID 4988 wrote to memory of 4008 4988 e57b805.exe 61 PID 4988 wrote to memory of 4148 4988 e57b805.exe 62 PID 4988 wrote to memory of 3748 4988 e57b805.exe 74 PID 4988 wrote to memory of 3324 4988 e57b805.exe 76 PID 4988 wrote to memory of 836 4988 e57b805.exe 81 PID 4988 wrote to memory of 3392 4988 e57b805.exe 82 PID 4988 wrote to memory of 2920 4988 e57b805.exe 83 PID 4988 wrote to memory of 4288 4988 e57b805.exe 84 PID 4988 wrote to memory of 4288 4988 e57b805.exe 84 PID 4288 wrote to memory of 4428 4288 rundll32.exe 86 PID 4288 wrote to memory of 4428 4288 rundll32.exe 86 PID 4288 wrote to memory of 4428 4288 rundll32.exe 86 PID 4988 wrote to memory of 784 4988 e57b805.exe 9 PID 4988 wrote to memory of 792 4988 e57b805.exe 10 PID 4988 wrote to memory of 316 4988 e57b805.exe 13 PID 4988 wrote to memory of 2672 4988 e57b805.exe 44 PID 4988 wrote to memory of 2680 4988 e57b805.exe 45 PID 4988 wrote to memory of 3020 4988 e57b805.exe 51 PID 4988 wrote to memory of 3456 4988 e57b805.exe 56 PID 4988 wrote to memory of 3596 4988 e57b805.exe 57 PID 4988 wrote to memory of 3776 4988 e57b805.exe 58 PID 4988 wrote to memory of 3864 4988 e57b805.exe 59 PID 4988 wrote to memory of 3924 4988 e57b805.exe 60 PID 4988 wrote to memory of 4008 4988 e57b805.exe 61 PID 4988 wrote to memory of 4148 4988 e57b805.exe 62 PID 4988 wrote to memory of 3748 4988 e57b805.exe 74 PID 4988 wrote to memory of 3324 4988 e57b805.exe 76 PID 4988 wrote to memory of 836 4988 e57b805.exe 81 PID 4988 wrote to memory of 3392 4988 e57b805.exe 82 PID 4988 wrote to memory of 2920 4988 e57b805.exe 83 PID 4988 wrote to memory of 4428 4988 e57b805.exe 86 PID 4988 wrote to memory of 4428 4988 e57b805.exe 86 PID 4288 wrote to memory of 4192 4288 rundll32.exe 94 PID 4288 wrote to memory of 4192 4288 rundll32.exe 94 PID 4288 wrote to memory of 4192 4288 rundll32.exe 94 PID 4192 wrote to memory of 784 4192 e57fc52.exe 9 PID 4192 wrote to memory of 792 4192 e57fc52.exe 10 PID 4192 wrote to memory of 316 4192 e57fc52.exe 13 PID 4192 wrote to memory of 2672 4192 e57fc52.exe 44 PID 4192 wrote to memory of 2680 4192 e57fc52.exe 45 PID 4192 wrote to memory of 3020 4192 e57fc52.exe 51 PID 4192 wrote to memory of 3456 4192 e57fc52.exe 56 PID 4192 wrote to memory of 3596 4192 e57fc52.exe 57 PID 4192 wrote to memory of 3776 4192 e57fc52.exe 58 PID 4192 wrote to memory of 3864 4192 e57fc52.exe 59 PID 4192 wrote to memory of 3924 4192 e57fc52.exe 60 PID 4192 wrote to memory of 4008 4192 e57fc52.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fc52.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3020
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\e57b805.exeC:\Users\Admin\AppData\Local\Temp\e57b805.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\e57ba67.exeC:\Users\Admin\AppData\Local\Temp\e57ba67.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Users\Admin\AppData\Local\Temp\e57fc52.exeC:\Users\Admin\AppData\Local\Temp\e57fc52.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4192
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3324
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:836
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3392
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:232
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2668
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56ec3ad7c80f41a0bc24906b38812c51c
SHA13e8efa0470415f5095e46f1d7f4024281f9a89d2
SHA2569c360222b1f4c29b787f79f68d3d512eeff8035535825ed9390f5048dbf0e950
SHA5123f291b37034c3e69d3e341017744b38db9e78483aceba251e118563aeabb227fc4ba7b6be5ecf7d5f4a5ddeddfb2e4e8a0bef486ee03a7d240051fd5d4fa570a
-
Filesize
257B
MD5bfd94f005f3bdd67677e7a79ae35bec0
SHA11bad4405f744d518d25b1d9002a3ea78afd8e906
SHA25601f85f68cb117207cd171a8f354cc0ed77034d8eb1fc63bcb20c569e3cddec6e
SHA5125c22e7e727bfb1968d729c16604d35c8434bfe2ca44438787ce35acb87031e9580849e54a98d969664fa37ce1ec661a74f260a530762506fea27735b57c0ca75