Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 12:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1a286559610df0f7fb8048a04be42dedaddbab1059496f169d9faf933fdd70d.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
f1a286559610df0f7fb8048a04be42dedaddbab1059496f169d9faf933fdd70d.dll
-
Size
120KB
-
MD5
1c0ac0c375e4d97e7578c0b5193efcb1
-
SHA1
4230ae2d1c351b78f34c8726ff18012508aac1dc
-
SHA256
f1a286559610df0f7fb8048a04be42dedaddbab1059496f169d9faf933fdd70d
-
SHA512
261b12240d0184d65aceb6d6f7308a68582e5fe1f915b0cb962c8a5b8f358d89c05c18930822ba65aead1c202936fd3895baf6a1376f21eb380a0dd6d7937f7c
-
SSDEEP
3072:47PC+cPGZM521ArUJfnfplyprtAoyPBA5:4763QjAifDiEy
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e4b3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e4b3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e4b3.exe -
Executes dropped EXE 3 IoCs
pid Process 4336 e57a529.exe 4696 e57a74c.exe 5100 e57e4b3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a529.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e4b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e4b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a529.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e4b3.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57a529.exe File opened (read-only) \??\G: e57a529.exe File opened (read-only) \??\H: e57a529.exe File opened (read-only) \??\I: e57a529.exe File opened (read-only) \??\E: e57e4b3.exe -
resource yara_rule behavioral2/memory/4336-8-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-9-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-12-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-11-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-24-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-25-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-30-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-13-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-10-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-14-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-36-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-37-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-38-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-43-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-44-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-46-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-47-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-63-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-64-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4336-70-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5100-90-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5100-95-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5100-93-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5100-92-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5100-94-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5100-102-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5100-96-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5100-134-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a5f4 e57a529.exe File opened for modification C:\Windows\SYSTEM.INI e57a529.exe File created C:\Windows\e580c20 e57e4b3.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a529.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a74c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e4b3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4336 e57a529.exe 4336 e57a529.exe 4336 e57a529.exe 4336 e57a529.exe 5100 e57e4b3.exe 5100 e57e4b3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe Token: SeDebugPrivilege 4336 e57a529.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 4412 2272 rundll32.exe 83 PID 2272 wrote to memory of 4412 2272 rundll32.exe 83 PID 2272 wrote to memory of 4412 2272 rundll32.exe 83 PID 4412 wrote to memory of 4336 4412 rundll32.exe 84 PID 4412 wrote to memory of 4336 4412 rundll32.exe 84 PID 4412 wrote to memory of 4336 4412 rundll32.exe 84 PID 4336 wrote to memory of 800 4336 e57a529.exe 9 PID 4336 wrote to memory of 804 4336 e57a529.exe 10 PID 4336 wrote to memory of 380 4336 e57a529.exe 13 PID 4336 wrote to memory of 2868 4336 e57a529.exe 50 PID 4336 wrote to memory of 2916 4336 e57a529.exe 51 PID 4336 wrote to memory of 668 4336 e57a529.exe 53 PID 4336 wrote to memory of 3452 4336 e57a529.exe 56 PID 4336 wrote to memory of 3576 4336 e57a529.exe 57 PID 4336 wrote to memory of 3760 4336 e57a529.exe 58 PID 4336 wrote to memory of 3940 4336 e57a529.exe 59 PID 4336 wrote to memory of 4004 4336 e57a529.exe 60 PID 4336 wrote to memory of 4080 4336 e57a529.exe 61 PID 4336 wrote to memory of 3884 4336 e57a529.exe 62 PID 4336 wrote to memory of 516 4336 e57a529.exe 64 PID 4336 wrote to memory of 3172 4336 e57a529.exe 75 PID 4336 wrote to memory of 920 4336 e57a529.exe 81 PID 4336 wrote to memory of 2272 4336 e57a529.exe 82 PID 4336 wrote to memory of 4412 4336 e57a529.exe 83 PID 4336 wrote to memory of 4412 4336 e57a529.exe 83 PID 4412 wrote to memory of 4696 4412 rundll32.exe 85 PID 4412 wrote to memory of 4696 4412 rundll32.exe 85 PID 4412 wrote to memory of 4696 4412 rundll32.exe 85 PID 4336 wrote to memory of 800 4336 e57a529.exe 9 PID 4336 wrote to memory of 804 4336 e57a529.exe 10 PID 4336 wrote to memory of 380 4336 e57a529.exe 13 PID 4336 wrote to memory of 2868 4336 e57a529.exe 50 PID 4336 wrote to memory of 2916 4336 e57a529.exe 51 PID 4336 wrote to memory of 668 4336 e57a529.exe 53 PID 4336 wrote to memory of 3452 4336 e57a529.exe 56 PID 4336 wrote to memory of 3576 4336 e57a529.exe 57 PID 4336 wrote to memory of 3760 4336 e57a529.exe 58 PID 4336 wrote to memory of 3940 4336 e57a529.exe 59 PID 4336 wrote to memory of 4004 4336 e57a529.exe 60 PID 4336 wrote to memory of 4080 4336 e57a529.exe 61 PID 4336 wrote to memory of 3884 4336 e57a529.exe 62 PID 4336 wrote to memory of 516 4336 e57a529.exe 64 PID 4336 wrote to memory of 3172 4336 e57a529.exe 75 PID 4336 wrote to memory of 920 4336 e57a529.exe 81 PID 4336 wrote to memory of 2272 4336 e57a529.exe 82 PID 4336 wrote to memory of 4696 4336 e57a529.exe 85 PID 4336 wrote to memory of 4696 4336 e57a529.exe 85 PID 4336 wrote to memory of 3852 4336 e57a529.exe 87 PID 4412 wrote to memory of 5100 4412 rundll32.exe 91 PID 4412 wrote to memory of 5100 4412 rundll32.exe 91 PID 4412 wrote to memory of 5100 4412 rundll32.exe 91 PID 5100 wrote to memory of 800 5100 e57e4b3.exe 9 PID 5100 wrote to memory of 804 5100 e57e4b3.exe 10 PID 5100 wrote to memory of 380 5100 e57e4b3.exe 13 PID 5100 wrote to memory of 2868 5100 e57e4b3.exe 50 PID 5100 wrote to memory of 2916 5100 e57e4b3.exe 51 PID 5100 wrote to memory of 668 5100 e57e4b3.exe 53 PID 5100 wrote to memory of 3452 5100 e57e4b3.exe 56 PID 5100 wrote to memory of 3576 5100 e57e4b3.exe 57 PID 5100 wrote to memory of 3760 5100 e57e4b3.exe 58 PID 5100 wrote to memory of 3940 5100 e57e4b3.exe 59 PID 5100 wrote to memory of 4004 5100 e57e4b3.exe 60 PID 5100 wrote to memory of 4080 5100 e57e4b3.exe 61 PID 5100 wrote to memory of 3884 5100 e57e4b3.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e4b3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2916
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:668
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1a286559610df0f7fb8048a04be42dedaddbab1059496f169d9faf933fdd70d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1a286559610df0f7fb8048a04be42dedaddbab1059496f169d9faf933fdd70d.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\e57a529.exeC:\Users\Admin\AppData\Local\Temp\e57a529.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\e57a74c.exeC:\Users\Admin\AppData\Local\Temp\e57a74c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\e57e4b3.exeC:\Users\Admin\AppData\Local\Temp\e57e4b3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5100
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:516
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3172
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:408
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD53a6159220e3869de3462955b5246ace1
SHA115205e829ef2dc7cc85cd4cf0ca10a022162e7eb
SHA25678409e270cc434114ab6c7cf95d9e99cf945aca47cc9c657e311496223c15705
SHA512fdd3511b70b0a5a0eb0b4ed5d091bcc1257c003bbd5f3f3a4a035a41dde95055e5114b3e0ace114a3bc8022f809605628903ad7253f767c3397b7c84197a2989
-
Filesize
257B
MD51fbaaf0571d291c401a8458c59c1b5ba
SHA1160a91cad10841e32589364fbef12f4dafa786d9
SHA25631762f41badbfeb964cbf1cbf255435be6ddca6871f2ae664944800ee8f431ac
SHA5120176ae30547ba5bec534f6fdd9750344be9821653bfd37aff3e65dac97e133f18b953c317fcf5b03003bb3ce97e6d741b140ab294794df9d231ae33b87044de1