Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
531d090c340a4ac61ec0442f574f45c7284c263d67f2ef3ffc5db64b5d24bb10N.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
531d090c340a4ac61ec0442f574f45c7284c263d67f2ef3ffc5db64b5d24bb10N.dll
-
Size
120KB
-
MD5
ed1bbef8c3b42905de9f72b6063c8d10
-
SHA1
8129fa9d51e33c4c411655dfb86ecb8ff50f8593
-
SHA256
531d090c340a4ac61ec0442f574f45c7284c263d67f2ef3ffc5db64b5d24bb10
-
SHA512
b36c9c048130a5aeed64c3a37c0b8ae962bc0ff7f7ea7bb8523d9308affc0b7494f556f447d790bd73ad01046a7bf88c24587fd7704c18eae0dcb7d8b6b289dd
-
SSDEEP
3072:Py1dUDwEcMquaJ9QMbaoWP9wL55Mz0wvi:a1dQcACafa5iZvi
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577129.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577129.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ab92.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab92.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577129.exe -
Executes dropped EXE 3 IoCs
pid Process 3960 e577129.exe 3124 e57732c.exe 3460 e57ab92.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab92.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577129.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab92.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab92.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57ab92.exe File opened (read-only) \??\H: e57ab92.exe File opened (read-only) \??\K: e577129.exe File opened (read-only) \??\G: e577129.exe File opened (read-only) \??\H: e577129.exe File opened (read-only) \??\I: e577129.exe File opened (read-only) \??\J: e577129.exe File opened (read-only) \??\E: e57ab92.exe File opened (read-only) \??\I: e57ab92.exe File opened (read-only) \??\E: e577129.exe -
resource yara_rule behavioral2/memory/3960-6-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-12-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-8-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-32-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-27-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-35-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-14-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-13-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-36-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-43-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-44-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-46-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-55-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-56-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-58-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-60-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-62-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3960-63-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3460-92-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3460-104-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3460-94-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3460-91-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3460-90-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3460-139-0x0000000000860000-0x000000000191A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5771c5 e577129.exe File opened for modification C:\Windows\SYSTEM.INI e577129.exe File created C:\Windows\e57d3cb e57ab92.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57732c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ab92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577129.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3960 e577129.exe 3960 e577129.exe 3960 e577129.exe 3960 e577129.exe 3460 e57ab92.exe 3460 e57ab92.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe Token: SeDebugPrivilege 3960 e577129.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 716 wrote to memory of 4628 716 rundll32.exe 83 PID 716 wrote to memory of 4628 716 rundll32.exe 83 PID 716 wrote to memory of 4628 716 rundll32.exe 83 PID 4628 wrote to memory of 3960 4628 rundll32.exe 84 PID 4628 wrote to memory of 3960 4628 rundll32.exe 84 PID 4628 wrote to memory of 3960 4628 rundll32.exe 84 PID 3960 wrote to memory of 792 3960 e577129.exe 9 PID 3960 wrote to memory of 800 3960 e577129.exe 10 PID 3960 wrote to memory of 60 3960 e577129.exe 13 PID 3960 wrote to memory of 2964 3960 e577129.exe 51 PID 3960 wrote to memory of 3024 3960 e577129.exe 52 PID 3960 wrote to memory of 2636 3960 e577129.exe 53 PID 3960 wrote to memory of 3436 3960 e577129.exe 56 PID 3960 wrote to memory of 3564 3960 e577129.exe 57 PID 3960 wrote to memory of 3740 3960 e577129.exe 58 PID 3960 wrote to memory of 3840 3960 e577129.exe 59 PID 3960 wrote to memory of 3904 3960 e577129.exe 60 PID 3960 wrote to memory of 3992 3960 e577129.exe 61 PID 3960 wrote to memory of 4112 3960 e577129.exe 62 PID 3960 wrote to memory of 2316 3960 e577129.exe 64 PID 3960 wrote to memory of 1800 3960 e577129.exe 76 PID 3960 wrote to memory of 1260 3960 e577129.exe 81 PID 3960 wrote to memory of 716 3960 e577129.exe 82 PID 3960 wrote to memory of 4628 3960 e577129.exe 83 PID 3960 wrote to memory of 4628 3960 e577129.exe 83 PID 4628 wrote to memory of 3124 4628 rundll32.exe 85 PID 4628 wrote to memory of 3124 4628 rundll32.exe 85 PID 4628 wrote to memory of 3124 4628 rundll32.exe 85 PID 3960 wrote to memory of 792 3960 e577129.exe 9 PID 3960 wrote to memory of 800 3960 e577129.exe 10 PID 3960 wrote to memory of 60 3960 e577129.exe 13 PID 3960 wrote to memory of 2964 3960 e577129.exe 51 PID 3960 wrote to memory of 3024 3960 e577129.exe 52 PID 3960 wrote to memory of 2636 3960 e577129.exe 53 PID 3960 wrote to memory of 3436 3960 e577129.exe 56 PID 3960 wrote to memory of 3564 3960 e577129.exe 57 PID 3960 wrote to memory of 3740 3960 e577129.exe 58 PID 3960 wrote to memory of 3840 3960 e577129.exe 59 PID 3960 wrote to memory of 3904 3960 e577129.exe 60 PID 3960 wrote to memory of 3992 3960 e577129.exe 61 PID 3960 wrote to memory of 4112 3960 e577129.exe 62 PID 3960 wrote to memory of 2316 3960 e577129.exe 64 PID 3960 wrote to memory of 1800 3960 e577129.exe 76 PID 3960 wrote to memory of 1260 3960 e577129.exe 81 PID 3960 wrote to memory of 716 3960 e577129.exe 82 PID 3960 wrote to memory of 3124 3960 e577129.exe 85 PID 3960 wrote to memory of 3124 3960 e577129.exe 85 PID 4628 wrote to memory of 3460 4628 rundll32.exe 86 PID 4628 wrote to memory of 3460 4628 rundll32.exe 86 PID 4628 wrote to memory of 3460 4628 rundll32.exe 86 PID 3460 wrote to memory of 792 3460 e57ab92.exe 9 PID 3460 wrote to memory of 800 3460 e57ab92.exe 10 PID 3460 wrote to memory of 60 3460 e57ab92.exe 13 PID 3460 wrote to memory of 2964 3460 e57ab92.exe 51 PID 3460 wrote to memory of 3024 3460 e57ab92.exe 52 PID 3460 wrote to memory of 2636 3460 e57ab92.exe 53 PID 3460 wrote to memory of 3436 3460 e57ab92.exe 56 PID 3460 wrote to memory of 3564 3460 e57ab92.exe 57 PID 3460 wrote to memory of 3740 3460 e57ab92.exe 58 PID 3460 wrote to memory of 3840 3460 e57ab92.exe 59 PID 3460 wrote to memory of 3904 3460 e57ab92.exe 60 PID 3460 wrote to memory of 3992 3460 e57ab92.exe 61 PID 3460 wrote to memory of 4112 3460 e57ab92.exe 62 PID 3460 wrote to memory of 2316 3460 e57ab92.exe 64 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577129.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab92.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3024
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\531d090c340a4ac61ec0442f574f45c7284c263d67f2ef3ffc5db64b5d24bb10N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\531d090c340a4ac61ec0442f574f45c7284c263d67f2ef3ffc5db64b5d24bb10N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\e577129.exeC:\Users\Admin\AppData\Local\Temp\e577129.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\e57732c.exeC:\Users\Admin\AppData\Local\Temp\e57732c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3124
-
-
C:\Users\Admin\AppData\Local\Temp\e57ab92.exeC:\Users\Admin\AppData\Local\Temp\e57ab92.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3460
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2316
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1800
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1260
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c76eeb93d06ea8d93c62e3158c16cce6
SHA1d28dfb9fda05421aa9befa411686b25b9e50baaa
SHA2564e0e93f94d8369df6a0f92ee62a9baa9a01a358f5a9cefaf199fe18141c40720
SHA51203b122a08ad7bf368860b1aaabd5504ea16bd1bee55b28f5d565c4ebd560435d9c6602530b39fa4852d21130be718843842260308bd584900dd0c170286b2916
-
Filesize
257B
MD5ba2e2e1f0cb51d1e2ff54480c56c366e
SHA1d8d625bcf09db56df74cd3435120aa8a705b6541
SHA25606b3acaff0aa487bfd00414252548a2045e849b148b86b6ed655d9cde8c3b0fd
SHA512f9829f724c77d6b5af530c9eb1ad300ef78982942452418e0aecaabdad04f841a9765ad3fe4d985d257304ec72d55caaf0c2cf708c5166221f47b91c02f148cc