Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 21:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2aa1725106306f2c399bbfde6c8c1582bb7b0fd4014bf7d348e4cb9341b203dN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
d2aa1725106306f2c399bbfde6c8c1582bb7b0fd4014bf7d348e4cb9341b203dN.dll
-
Size
120KB
-
MD5
8d5f5f50488eb03b91c40cf227544520
-
SHA1
c80877d0f34a0a73afae2a6276693b7865c7d6c0
-
SHA256
d2aa1725106306f2c399bbfde6c8c1582bb7b0fd4014bf7d348e4cb9341b203d
-
SHA512
81f3b5696cb0a3d31d7d44560f58549a8010b1dab8dca75f03edc3563fac31f885f1a3ba5cb8f95a43b345da089d169b262915b72e1553acd8a70da3b2d37fe0
-
SSDEEP
1536:kevW5nAOIu8sSfL6DcNvFmXXyTp+o1Hk5Utt8funBoAp13Uxy5Nn6:bvW5n7CftIe58at8fmoArUWNn
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578637.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578637.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b6ad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b6ad.exe -
Executes dropped EXE 3 IoCs
pid Process 2984 e578637.exe 732 e5788d7.exe 2144 e57b6ad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578637.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578637.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b6ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b6ad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b6ad.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e578637.exe File opened (read-only) \??\H: e578637.exe File opened (read-only) \??\J: e578637.exe File opened (read-only) \??\K: e578637.exe File opened (read-only) \??\E: e57b6ad.exe File opened (read-only) \??\G: e57b6ad.exe File opened (read-only) \??\E: e578637.exe File opened (read-only) \??\I: e578637.exe File opened (read-only) \??\L: e578637.exe File opened (read-only) \??\H: e57b6ad.exe -
resource yara_rule behavioral2/memory/2984-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-7-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-30-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-29-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-24-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-31-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-40-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-53-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-56-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-57-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-60-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2984-65-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2144-91-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2144-95-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2144-96-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2144-120-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2144-144-0x0000000000780000-0x000000000183A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5786b4 e578637.exe File opened for modification C:\Windows\SYSTEM.INI e578637.exe File created C:\Windows\e57de2b e57b6ad.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5788d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b6ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578637.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2984 e578637.exe 2984 e578637.exe 2984 e578637.exe 2984 e578637.exe 2144 e57b6ad.exe 2144 e57b6ad.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe Token: SeDebugPrivilege 2984 e578637.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4484 wrote to memory of 2780 4484 rundll32.exe 82 PID 4484 wrote to memory of 2780 4484 rundll32.exe 82 PID 4484 wrote to memory of 2780 4484 rundll32.exe 82 PID 2780 wrote to memory of 2984 2780 rundll32.exe 83 PID 2780 wrote to memory of 2984 2780 rundll32.exe 83 PID 2780 wrote to memory of 2984 2780 rundll32.exe 83 PID 2984 wrote to memory of 784 2984 e578637.exe 8 PID 2984 wrote to memory of 792 2984 e578637.exe 9 PID 2984 wrote to memory of 336 2984 e578637.exe 13 PID 2984 wrote to memory of 2804 2984 e578637.exe 49 PID 2984 wrote to memory of 2816 2984 e578637.exe 50 PID 2984 wrote to memory of 3020 2984 e578637.exe 52 PID 2984 wrote to memory of 3352 2984 e578637.exe 56 PID 2984 wrote to memory of 3508 2984 e578637.exe 57 PID 2984 wrote to memory of 3744 2984 e578637.exe 58 PID 2984 wrote to memory of 3840 2984 e578637.exe 59 PID 2984 wrote to memory of 3916 2984 e578637.exe 60 PID 2984 wrote to memory of 3996 2984 e578637.exe 61 PID 2984 wrote to memory of 4060 2984 e578637.exe 62 PID 2984 wrote to memory of 3012 2984 e578637.exe 75 PID 2984 wrote to memory of 1348 2984 e578637.exe 76 PID 2984 wrote to memory of 4484 2984 e578637.exe 81 PID 2984 wrote to memory of 2780 2984 e578637.exe 82 PID 2984 wrote to memory of 2780 2984 e578637.exe 82 PID 2780 wrote to memory of 732 2780 rundll32.exe 84 PID 2780 wrote to memory of 732 2780 rundll32.exe 84 PID 2780 wrote to memory of 732 2780 rundll32.exe 84 PID 2984 wrote to memory of 784 2984 e578637.exe 8 PID 2984 wrote to memory of 792 2984 e578637.exe 9 PID 2984 wrote to memory of 336 2984 e578637.exe 13 PID 2984 wrote to memory of 2804 2984 e578637.exe 49 PID 2984 wrote to memory of 2816 2984 e578637.exe 50 PID 2984 wrote to memory of 3020 2984 e578637.exe 52 PID 2984 wrote to memory of 3352 2984 e578637.exe 56 PID 2984 wrote to memory of 3508 2984 e578637.exe 57 PID 2984 wrote to memory of 3744 2984 e578637.exe 58 PID 2984 wrote to memory of 3840 2984 e578637.exe 59 PID 2984 wrote to memory of 3916 2984 e578637.exe 60 PID 2984 wrote to memory of 3996 2984 e578637.exe 61 PID 2984 wrote to memory of 4060 2984 e578637.exe 62 PID 2984 wrote to memory of 3012 2984 e578637.exe 75 PID 2984 wrote to memory of 1348 2984 e578637.exe 76 PID 2984 wrote to memory of 4484 2984 e578637.exe 81 PID 2984 wrote to memory of 732 2984 e578637.exe 84 PID 2984 wrote to memory of 732 2984 e578637.exe 84 PID 2780 wrote to memory of 2144 2780 rundll32.exe 85 PID 2780 wrote to memory of 2144 2780 rundll32.exe 85 PID 2780 wrote to memory of 2144 2780 rundll32.exe 85 PID 2144 wrote to memory of 784 2144 e57b6ad.exe 8 PID 2144 wrote to memory of 792 2144 e57b6ad.exe 9 PID 2144 wrote to memory of 336 2144 e57b6ad.exe 13 PID 2144 wrote to memory of 2804 2144 e57b6ad.exe 49 PID 2144 wrote to memory of 2816 2144 e57b6ad.exe 50 PID 2144 wrote to memory of 3020 2144 e57b6ad.exe 52 PID 2144 wrote to memory of 3352 2144 e57b6ad.exe 56 PID 2144 wrote to memory of 3508 2144 e57b6ad.exe 57 PID 2144 wrote to memory of 3744 2144 e57b6ad.exe 58 PID 2144 wrote to memory of 3840 2144 e57b6ad.exe 59 PID 2144 wrote to memory of 3916 2144 e57b6ad.exe 60 PID 2144 wrote to memory of 3996 2144 e57b6ad.exe 61 PID 2144 wrote to memory of 4060 2144 e57b6ad.exe 62 PID 2144 wrote to memory of 3012 2144 e57b6ad.exe 75 PID 2144 wrote to memory of 1348 2144 e57b6ad.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b6ad.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2804
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2816
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3020
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3352
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2aa1725106306f2c399bbfde6c8c1582bb7b0fd4014bf7d348e4cb9341b203dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2aa1725106306f2c399bbfde6c8c1582bb7b0fd4014bf7d348e4cb9341b203dN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\e578637.exeC:\Users\Admin\AppData\Local\Temp\e578637.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\e5788d7.exeC:\Users\Admin\AppData\Local\Temp\e5788d7.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\e57b6ad.exeC:\Users\Admin\AppData\Local\Temp\e57b6ad.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2144
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3508
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4060
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD55c55c78edb1e4063c9104a4fc3eb2d2a
SHA1ac8a23fb425d7b9fee71dec1689d1dcf1b544c8c
SHA2567ceaa1a5387f155b272bd67973fd2764877365099ae1badd7171a5f7ff420327
SHA512dec0ffe7b020c1aa8c0cdac8d9cc935cfbf1c0e01a9542d22c007c604743af326eb2ba9871c65625cb470b74adb9febb1184c8105ff357965a9ee85764b08b52
-
Filesize
257B
MD57b85674659c0868083e02dc1131836a3
SHA149d41aaedf92937a09756cfb712792b1d7b2f542
SHA25623291b344fc599ee4f39008416d88dc73f77a1bb434fe1a62576b14e4ab3b759
SHA51251c84c960d5a826fb186911ae45d5b7cf470e3a14d18f0453c4dfcb68a552bb8db01a4f108c4d7c07ab872c2f51fbc9837dd7317a139409ba7c8caeeedbec172