Analysis
-
max time kernel
97s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 19:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0c01045781500cfe8073045614540798035cf547283a841a43864c4e840bde9e.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
150 seconds
General
-
Target
0c01045781500cfe8073045614540798035cf547283a841a43864c4e840bde9e.dll
-
Size
120KB
-
MD5
d19df5c8c90e4c96f0111e5ff08063cc
-
SHA1
e601949c7e5936db6a11dc648d78de759ec83ea6
-
SHA256
0c01045781500cfe8073045614540798035cf547283a841a43864c4e840bde9e
-
SHA512
6eb9b4fe0803dde59ad1f829eb786412b266da9d2f2d241bf3d021fdc14e8cc6b651326f30242bbffe2ab1fa8dd2e354d7cf32e7925cfdacd3dca4a1e9ec8b1d
-
SSDEEP
3072:OW0YEL3OIc7s8zyu96EHn1W88/skh0Rhco:OWXEaIc7OPyn1W88/fevH
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f78f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f78f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f78f.exe -
Executes dropped EXE 3 IoCs
pid Process 220 e57b48b.exe 2664 e57b630.exe 2820 e57f78f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b48b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f78f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f78f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b48b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f78f.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57b48b.exe File opened (read-only) \??\G: e57b48b.exe File opened (read-only) \??\H: e57b48b.exe -
resource yara_rule behavioral2/memory/220-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-27-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-14-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-15-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-16-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-42-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-43-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-52-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-55-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/220-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2820-86-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-81-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-87-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-96-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-84-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-85-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-83-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-88-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-95-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2820-121-0x0000000000760000-0x000000000181A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b4f8 e57b48b.exe File opened for modification C:\Windows\SYSTEM.INI e57b48b.exe File created C:\Windows\e581efd e57f78f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b48b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b630.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f78f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 220 e57b48b.exe 220 e57b48b.exe 220 e57b48b.exe 220 e57b48b.exe 2820 e57f78f.exe 2820 e57f78f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe Token: SeDebugPrivilege 220 e57b48b.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 5056 wrote to memory of 2940 5056 rundll32.exe 82 PID 5056 wrote to memory of 2940 5056 rundll32.exe 82 PID 5056 wrote to memory of 2940 5056 rundll32.exe 82 PID 2940 wrote to memory of 220 2940 rundll32.exe 83 PID 2940 wrote to memory of 220 2940 rundll32.exe 83 PID 2940 wrote to memory of 220 2940 rundll32.exe 83 PID 220 wrote to memory of 788 220 e57b48b.exe 8 PID 220 wrote to memory of 792 220 e57b48b.exe 9 PID 220 wrote to memory of 60 220 e57b48b.exe 13 PID 220 wrote to memory of 2988 220 e57b48b.exe 50 PID 220 wrote to memory of 2232 220 e57b48b.exe 51 PID 220 wrote to memory of 740 220 e57b48b.exe 52 PID 220 wrote to memory of 3420 220 e57b48b.exe 56 PID 220 wrote to memory of 3544 220 e57b48b.exe 57 PID 220 wrote to memory of 3748 220 e57b48b.exe 58 PID 220 wrote to memory of 3840 220 e57b48b.exe 59 PID 220 wrote to memory of 3904 220 e57b48b.exe 60 PID 220 wrote to memory of 3984 220 e57b48b.exe 61 PID 220 wrote to memory of 3580 220 e57b48b.exe 62 PID 220 wrote to memory of 1624 220 e57b48b.exe 74 PID 220 wrote to memory of 5116 220 e57b48b.exe 76 PID 220 wrote to memory of 5056 220 e57b48b.exe 81 PID 220 wrote to memory of 2940 220 e57b48b.exe 82 PID 220 wrote to memory of 2940 220 e57b48b.exe 82 PID 2940 wrote to memory of 2664 2940 rundll32.exe 84 PID 2940 wrote to memory of 2664 2940 rundll32.exe 84 PID 2940 wrote to memory of 2664 2940 rundll32.exe 84 PID 220 wrote to memory of 788 220 e57b48b.exe 8 PID 220 wrote to memory of 792 220 e57b48b.exe 9 PID 220 wrote to memory of 60 220 e57b48b.exe 13 PID 220 wrote to memory of 2988 220 e57b48b.exe 50 PID 220 wrote to memory of 2232 220 e57b48b.exe 51 PID 220 wrote to memory of 740 220 e57b48b.exe 52 PID 220 wrote to memory of 3420 220 e57b48b.exe 56 PID 220 wrote to memory of 3544 220 e57b48b.exe 57 PID 220 wrote to memory of 3748 220 e57b48b.exe 58 PID 220 wrote to memory of 3840 220 e57b48b.exe 59 PID 220 wrote to memory of 3904 220 e57b48b.exe 60 PID 220 wrote to memory of 3984 220 e57b48b.exe 61 PID 220 wrote to memory of 3580 220 e57b48b.exe 62 PID 220 wrote to memory of 1624 220 e57b48b.exe 74 PID 220 wrote to memory of 5116 220 e57b48b.exe 76 PID 220 wrote to memory of 5056 220 e57b48b.exe 81 PID 220 wrote to memory of 2664 220 e57b48b.exe 84 PID 220 wrote to memory of 2664 220 e57b48b.exe 84 PID 2940 wrote to memory of 2820 2940 rundll32.exe 85 PID 2940 wrote to memory of 2820 2940 rundll32.exe 85 PID 2940 wrote to memory of 2820 2940 rundll32.exe 85 PID 2820 wrote to memory of 788 2820 e57f78f.exe 8 PID 2820 wrote to memory of 792 2820 e57f78f.exe 9 PID 2820 wrote to memory of 60 2820 e57f78f.exe 13 PID 2820 wrote to memory of 2988 2820 e57f78f.exe 50 PID 2820 wrote to memory of 2232 2820 e57f78f.exe 51 PID 2820 wrote to memory of 740 2820 e57f78f.exe 52 PID 2820 wrote to memory of 3420 2820 e57f78f.exe 56 PID 2820 wrote to memory of 3544 2820 e57f78f.exe 57 PID 2820 wrote to memory of 3748 2820 e57f78f.exe 58 PID 2820 wrote to memory of 3840 2820 e57f78f.exe 59 PID 2820 wrote to memory of 3904 2820 e57f78f.exe 60 PID 2820 wrote to memory of 3984 2820 e57f78f.exe 61 PID 2820 wrote to memory of 3580 2820 e57f78f.exe 62 PID 2820 wrote to memory of 1624 2820 e57f78f.exe 74 PID 2820 wrote to memory of 5116 2820 e57f78f.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b48b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f78f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2232
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:740
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c01045781500cfe8073045614540798035cf547283a841a43864c4e840bde9e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c01045781500cfe8073045614540798035cf547283a841a43864c4e840bde9e.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\e57b48b.exeC:\Users\Admin\AppData\Local\Temp\e57b48b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\e57b630.exeC:\Users\Admin\AppData\Local\Temp\e57b630.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\e57f78f.exeC:\Users\Admin\AppData\Local\Temp\e57f78f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2820
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3544
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3580
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5116
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f1e07c4bb0f2c23fdc997b51e29865f1
SHA1a14cb9068ec93c69edc041ade355ff7d88306806
SHA25629a40216550a5a7d4eaffc651450c2261682ce3e1ae571b7718d38c428abe37d
SHA512ba248086d21a0f3ee93b84b15348d0c75b5ee2299add842a4e2614c178d0f528d98da4b0ebb01bd168efa0e9f13c739383679aa7d36822a0b70cd849bfff16f8
-
Filesize
257B
MD549f98ab3559dacd2a932268ec7d8c7e4
SHA1468b77f58159484ca3fc7872b671aad06c645752
SHA256650fc0783575a9ddaf09450ee849bc4b055f1b299056ee9c5125dba8abcd8957
SHA51261c9d36fa9cf655a882dd4ffda2d10e5b772968f9e43f6655c37e6e454c201cadc5b322025d1bbf279cdc1800819fe646074c915d26b4e9b44a82e79c4244b98