Analysis
-
max time kernel
95s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 23:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
55d0c0a77720a7a34c2f7a4c053addf81792238edafbd634639cfb599ecf1737.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
55d0c0a77720a7a34c2f7a4c053addf81792238edafbd634639cfb599ecf1737.dll
-
Size
120KB
-
MD5
a743091bdec11e611732a5b570af4414
-
SHA1
6eb00dae89886c9716a486937cfe8ba72dd5244e
-
SHA256
55d0c0a77720a7a34c2f7a4c053addf81792238edafbd634639cfb599ecf1737
-
SHA512
e125b69885c676ba112dfe76d670c04c756b6bbfc6ef19a0b48f75a1ca992e36bd6050f1dc0e5f0691d78a4549066eb067e5fb366fa60f0c1f870132c9d30900
-
SSDEEP
1536:Jz8+gCE1CsJalE6LsL+Mfy27remS1Yvg4AUtMRoiG8/efJdxIFUmqfV1wfmMB7WD:F5gXoIl6LD9AwYA2yo2/wJ8SdN1uvw
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a827.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a827.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d764.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d764.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d764.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a827.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d764.exe -
Executes dropped EXE 3 IoCs
pid Process 964 e57a827.exe 2960 e57a940.exe 4604 e57d764.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a827.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d764.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a827.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d764.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57a827.exe File opened (read-only) \??\M: e57a827.exe File opened (read-only) \??\N: e57a827.exe File opened (read-only) \??\G: e57d764.exe File opened (read-only) \??\I: e57a827.exe File opened (read-only) \??\K: e57a827.exe File opened (read-only) \??\E: e57d764.exe File opened (read-only) \??\J: e57d764.exe File opened (read-only) \??\H: e57a827.exe File opened (read-only) \??\J: e57a827.exe File opened (read-only) \??\L: e57a827.exe File opened (read-only) \??\E: e57a827.exe File opened (read-only) \??\H: e57d764.exe File opened (read-only) \??\I: e57d764.exe -
resource yara_rule behavioral2/memory/964-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-28-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-34-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-27-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-47-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-58-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-59-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-61-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-64-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-68-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-70-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/964-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4604-113-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4604-150-0x0000000000820000-0x00000000018DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a875 e57a827.exe File opened for modification C:\Windows\SYSTEM.INI e57a827.exe File created C:\Windows\e57fea3 e57d764.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a827.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a940.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d764.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 964 e57a827.exe 964 e57a827.exe 964 e57a827.exe 964 e57a827.exe 4604 e57d764.exe 4604 e57d764.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe Token: SeDebugPrivilege 964 e57a827.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3088 wrote to memory of 3488 3088 rundll32.exe 83 PID 3088 wrote to memory of 3488 3088 rundll32.exe 83 PID 3088 wrote to memory of 3488 3088 rundll32.exe 83 PID 3488 wrote to memory of 964 3488 rundll32.exe 84 PID 3488 wrote to memory of 964 3488 rundll32.exe 84 PID 3488 wrote to memory of 964 3488 rundll32.exe 84 PID 964 wrote to memory of 788 964 e57a827.exe 9 PID 964 wrote to memory of 796 964 e57a827.exe 10 PID 964 wrote to memory of 64 964 e57a827.exe 13 PID 964 wrote to memory of 2660 964 e57a827.exe 44 PID 964 wrote to memory of 2680 964 e57a827.exe 45 PID 964 wrote to memory of 2884 964 e57a827.exe 51 PID 964 wrote to memory of 3448 964 e57a827.exe 56 PID 964 wrote to memory of 3556 964 e57a827.exe 57 PID 964 wrote to memory of 3740 964 e57a827.exe 58 PID 964 wrote to memory of 3832 964 e57a827.exe 59 PID 964 wrote to memory of 3896 964 e57a827.exe 60 PID 964 wrote to memory of 3988 964 e57a827.exe 61 PID 964 wrote to memory of 1820 964 e57a827.exe 62 PID 964 wrote to memory of 5064 964 e57a827.exe 75 PID 964 wrote to memory of 1328 964 e57a827.exe 76 PID 964 wrote to memory of 2468 964 e57a827.exe 81 PID 964 wrote to memory of 3088 964 e57a827.exe 82 PID 964 wrote to memory of 3488 964 e57a827.exe 83 PID 964 wrote to memory of 3488 964 e57a827.exe 83 PID 3488 wrote to memory of 2960 3488 rundll32.exe 85 PID 3488 wrote to memory of 2960 3488 rundll32.exe 85 PID 3488 wrote to memory of 2960 3488 rundll32.exe 85 PID 964 wrote to memory of 788 964 e57a827.exe 9 PID 964 wrote to memory of 796 964 e57a827.exe 10 PID 964 wrote to memory of 64 964 e57a827.exe 13 PID 964 wrote to memory of 2660 964 e57a827.exe 44 PID 964 wrote to memory of 2680 964 e57a827.exe 45 PID 964 wrote to memory of 2884 964 e57a827.exe 51 PID 964 wrote to memory of 3448 964 e57a827.exe 56 PID 964 wrote to memory of 3556 964 e57a827.exe 57 PID 964 wrote to memory of 3740 964 e57a827.exe 58 PID 964 wrote to memory of 3832 964 e57a827.exe 59 PID 964 wrote to memory of 3896 964 e57a827.exe 60 PID 964 wrote to memory of 3988 964 e57a827.exe 61 PID 964 wrote to memory of 1820 964 e57a827.exe 62 PID 964 wrote to memory of 5064 964 e57a827.exe 75 PID 964 wrote to memory of 1328 964 e57a827.exe 76 PID 964 wrote to memory of 2468 964 e57a827.exe 81 PID 964 wrote to memory of 3088 964 e57a827.exe 82 PID 964 wrote to memory of 2960 964 e57a827.exe 85 PID 964 wrote to memory of 2960 964 e57a827.exe 85 PID 3488 wrote to memory of 4604 3488 rundll32.exe 86 PID 3488 wrote to memory of 4604 3488 rundll32.exe 86 PID 3488 wrote to memory of 4604 3488 rundll32.exe 86 PID 4604 wrote to memory of 788 4604 e57d764.exe 9 PID 4604 wrote to memory of 796 4604 e57d764.exe 10 PID 4604 wrote to memory of 64 4604 e57d764.exe 13 PID 4604 wrote to memory of 2660 4604 e57d764.exe 44 PID 4604 wrote to memory of 2680 4604 e57d764.exe 45 PID 4604 wrote to memory of 2884 4604 e57d764.exe 51 PID 4604 wrote to memory of 3448 4604 e57d764.exe 56 PID 4604 wrote to memory of 3556 4604 e57d764.exe 57 PID 4604 wrote to memory of 3740 4604 e57d764.exe 58 PID 4604 wrote to memory of 3832 4604 e57d764.exe 59 PID 4604 wrote to memory of 3896 4604 e57d764.exe 60 PID 4604 wrote to memory of 3988 4604 e57d764.exe 61 PID 4604 wrote to memory of 1820 4604 e57d764.exe 62 PID 4604 wrote to memory of 5064 4604 e57d764.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d764.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2884
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55d0c0a77720a7a34c2f7a4c053addf81792238edafbd634639cfb599ecf1737.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55d0c0a77720a7a34c2f7a4c053addf81792238edafbd634639cfb599ecf1737.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\e57a827.exeC:\Users\Admin\AppData\Local\Temp\e57a827.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\e57a940.exeC:\Users\Admin\AppData\Local\Temp\e57a940.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\e57d764.exeC:\Users\Admin\AppData\Local\Temp\e57d764.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4604
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1820
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1328
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2468
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD55737ef262c938064204f97cc828c57b5
SHA14a24a3c711ef98ae48e26212153c56488ea0167f
SHA25639fae085283bb3122bad060d7d917c3251d21222156aeca3cd456688f7d206b2
SHA512888d3659799335d8504a39bba0c61019c5c1e62788fe95265cd9f8f7b88ef94918d6750db793e5d8c37d9c01392577d4f0df12e8fe742e745bc295ccea6a3ae4
-
Filesize
257B
MD57c8e8eecb3c8541838602aa57f303d08
SHA155f412b797d548181c96ac995db9cb226641a093
SHA25605c6159c5b4d11effa50bb8cba39428ac90fe78ebe03d16c2092e56304bb1ee6
SHA5120e4dad2ca25577bddea48ceccc543af40e63e4e2394631b6e7b48c0e465daf677064870c188dc00c15b6cc66d6e34ee3f2e9612ecf6cda048029d90b12a703c0