Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 00:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5aa761f6aaaf79d892ad84b35402bda4a8c5565a5e92539053d7a6eaca29b551.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
5aa761f6aaaf79d892ad84b35402bda4a8c5565a5e92539053d7a6eaca29b551.dll
-
Size
120KB
-
MD5
904953243cfe91862918394d584d0d10
-
SHA1
bc603016de0f0cf930a108b93adf0e0a3a2e9af2
-
SHA256
5aa761f6aaaf79d892ad84b35402bda4a8c5565a5e92539053d7a6eaca29b551
-
SHA512
3de55a7fa947191b329ea9de2247e39c45bca582ab87d6ea1929754b7cad9df72a6564c53fe48268bb50ee14d8b219a93d44901b2164470547187b6786c6fca8
-
SSDEEP
3072:4PugFUv1nieLcfh2nIEG9TtoHRXmKh4ualXS:lgSv5iqtIEkTtoHRX7hf
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578935.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578935.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bda3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bda3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bda3.exe -
Executes dropped EXE 3 IoCs
pid Process 4324 e578935.exe 1236 e578aac.exe 4008 e57bda3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578935.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bda3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bda3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bda3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bda3.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e578935.exe File opened (read-only) \??\L: e578935.exe File opened (read-only) \??\M: e578935.exe File opened (read-only) \??\E: e57bda3.exe File opened (read-only) \??\H: e57bda3.exe File opened (read-only) \??\H: e578935.exe File opened (read-only) \??\I: e578935.exe File opened (read-only) \??\J: e578935.exe File opened (read-only) \??\G: e57bda3.exe File opened (read-only) \??\I: e57bda3.exe File opened (read-only) \??\J: e57bda3.exe File opened (read-only) \??\E: e578935.exe File opened (read-only) \??\G: e578935.exe -
resource yara_rule behavioral2/memory/4324-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-13-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-27-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-34-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-32-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-46-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-47-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-58-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-60-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-61-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-63-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-64-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-67-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4324-69-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4008-104-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4008-125-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4008-150-0x0000000000770000-0x000000000182A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578993 e578935.exe File opened for modification C:\Windows\SYSTEM.INI e578935.exe File created C:\Windows\e57e4f1 e57bda3.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bda3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578935.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578aac.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4324 e578935.exe 4324 e578935.exe 4324 e578935.exe 4324 e578935.exe 4008 e57bda3.exe 4008 e57bda3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe Token: SeDebugPrivilege 4324 e578935.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 520 wrote to memory of 3312 520 rundll32.exe 84 PID 520 wrote to memory of 3312 520 rundll32.exe 84 PID 520 wrote to memory of 3312 520 rundll32.exe 84 PID 3312 wrote to memory of 4324 3312 rundll32.exe 85 PID 3312 wrote to memory of 4324 3312 rundll32.exe 85 PID 3312 wrote to memory of 4324 3312 rundll32.exe 85 PID 4324 wrote to memory of 800 4324 e578935.exe 8 PID 4324 wrote to memory of 808 4324 e578935.exe 9 PID 4324 wrote to memory of 376 4324 e578935.exe 13 PID 4324 wrote to memory of 2724 4324 e578935.exe 45 PID 4324 wrote to memory of 2824 4324 e578935.exe 50 PID 4324 wrote to memory of 2068 4324 e578935.exe 51 PID 4324 wrote to memory of 3508 4324 e578935.exe 56 PID 4324 wrote to memory of 3612 4324 e578935.exe 57 PID 4324 wrote to memory of 3800 4324 e578935.exe 58 PID 4324 wrote to memory of 3908 4324 e578935.exe 59 PID 4324 wrote to memory of 3972 4324 e578935.exe 60 PID 4324 wrote to memory of 4080 4324 e578935.exe 61 PID 4324 wrote to memory of 4152 4324 e578935.exe 62 PID 4324 wrote to memory of 4328 4324 e578935.exe 73 PID 4324 wrote to memory of 4388 4324 e578935.exe 75 PID 4324 wrote to memory of 3700 4324 e578935.exe 77 PID 4324 wrote to memory of 2472 4324 e578935.exe 82 PID 4324 wrote to memory of 520 4324 e578935.exe 83 PID 4324 wrote to memory of 3312 4324 e578935.exe 84 PID 4324 wrote to memory of 3312 4324 e578935.exe 84 PID 3312 wrote to memory of 1236 3312 rundll32.exe 86 PID 3312 wrote to memory of 1236 3312 rundll32.exe 86 PID 3312 wrote to memory of 1236 3312 rundll32.exe 86 PID 4324 wrote to memory of 800 4324 e578935.exe 8 PID 4324 wrote to memory of 808 4324 e578935.exe 9 PID 4324 wrote to memory of 376 4324 e578935.exe 13 PID 4324 wrote to memory of 2724 4324 e578935.exe 45 PID 4324 wrote to memory of 2824 4324 e578935.exe 50 PID 4324 wrote to memory of 2068 4324 e578935.exe 51 PID 4324 wrote to memory of 3508 4324 e578935.exe 56 PID 4324 wrote to memory of 3612 4324 e578935.exe 57 PID 4324 wrote to memory of 3800 4324 e578935.exe 58 PID 4324 wrote to memory of 3908 4324 e578935.exe 59 PID 4324 wrote to memory of 3972 4324 e578935.exe 60 PID 4324 wrote to memory of 4080 4324 e578935.exe 61 PID 4324 wrote to memory of 4152 4324 e578935.exe 62 PID 4324 wrote to memory of 4328 4324 e578935.exe 73 PID 4324 wrote to memory of 4388 4324 e578935.exe 75 PID 4324 wrote to memory of 3700 4324 e578935.exe 77 PID 4324 wrote to memory of 2472 4324 e578935.exe 82 PID 4324 wrote to memory of 520 4324 e578935.exe 83 PID 4324 wrote to memory of 1236 4324 e578935.exe 86 PID 4324 wrote to memory of 1236 4324 e578935.exe 86 PID 3312 wrote to memory of 4008 3312 rundll32.exe 88 PID 3312 wrote to memory of 4008 3312 rundll32.exe 88 PID 3312 wrote to memory of 4008 3312 rundll32.exe 88 PID 4008 wrote to memory of 800 4008 e57bda3.exe 8 PID 4008 wrote to memory of 808 4008 e57bda3.exe 9 PID 4008 wrote to memory of 376 4008 e57bda3.exe 13 PID 4008 wrote to memory of 2724 4008 e57bda3.exe 45 PID 4008 wrote to memory of 2824 4008 e57bda3.exe 50 PID 4008 wrote to memory of 2068 4008 e57bda3.exe 51 PID 4008 wrote to memory of 3508 4008 e57bda3.exe 56 PID 4008 wrote to memory of 3612 4008 e57bda3.exe 57 PID 4008 wrote to memory of 3800 4008 e57bda3.exe 58 PID 4008 wrote to memory of 3908 4008 e57bda3.exe 59 PID 4008 wrote to memory of 3972 4008 e57bda3.exe 60 PID 4008 wrote to memory of 4080 4008 e57bda3.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bda3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2824
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5aa761f6aaaf79d892ad84b35402bda4a8c5565a5e92539053d7a6eaca29b551.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5aa761f6aaaf79d892ad84b35402bda4a8c5565a5e92539053d7a6eaca29b551.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\e578935.exeC:\Users\Admin\AppData\Local\Temp\e578935.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4324
-
-
C:\Users\Admin\AppData\Local\Temp\e578aac.exeC:\Users\Admin\AppData\Local\Temp\e578aac.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\e57bda3.exeC:\Users\Admin\AppData\Local\Temp\e57bda3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4008
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4152
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4328
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4388
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3700
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f49604a7282db0c80359a3627bb0119d
SHA151cee1889433ca033d75aa4490c765dbef9418c1
SHA25608d7836cd37b8815cb73ab9e95f404d2a4c2cd5f82d06afd517a25e510160209
SHA5124bf743dd6c3f24658cfbe010e7f1139595fbd7548d71757eb07c1e17f6ec56efad580f5838a150fe3ae4cbf8aa75df46fd4524aa7d8b15ffcb8c11206c96e1ea
-
Filesize
257B
MD51b7d0b2b27c4318080cd5656d39a190e
SHA13d81abc596f6c5d6a444747b6e488b39fe960bc7
SHA2564c0e90974ba3cd8f6e164a6fee4f005b4a0465a2b9c927ccd04563f896e76e32
SHA5124029230015e99cb5e6c9f608690f6c599d950bd41e175fb317a735561bd8fa63a4cb20594e4564ba8b9a87004e30d82f99215d2815cc23a3e90545e398c16ac0