Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 15:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f3d95106e162b5f89209c068c66a14c980ff64f6983e7c5dbf96325520613455N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
f3d95106e162b5f89209c068c66a14c980ff64f6983e7c5dbf96325520613455N.dll
-
Size
120KB
-
MD5
7a5ed0ff187aa889117dc40fe4038760
-
SHA1
68a0a32a12d3d1e334922a1d5a93684777f98974
-
SHA256
f3d95106e162b5f89209c068c66a14c980ff64f6983e7c5dbf96325520613455
-
SHA512
47ea05dac360bcacbeb9dc95badffd366d25b2b723433f19c28694aa3889cf84946040ff202214732562e1b7594ceb19a7a46176b69662505f31242f3fd41ea7
-
SSDEEP
1536:YfpXQJUQzFLx1sxkE7DZFD4OKB2oU4SVEPX+dIWdkKW0P7NyK5FyMqTp:YfpgJ7RE3oB2Ju2SWSWvFyZ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5772af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5772af.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b4e8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b4e8.exe -
Executes dropped EXE 3 IoCs
pid Process 1940 e5772af.exe 1604 e577417.exe 3032 e57b4e8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5772af.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5772af.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b4e8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5772af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b4e8.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57b4e8.exe File opened (read-only) \??\E: e5772af.exe File opened (read-only) \??\G: e5772af.exe File opened (read-only) \??\H: e5772af.exe File opened (read-only) \??\I: e5772af.exe File opened (read-only) \??\E: e57b4e8.exe -
resource yara_rule behavioral2/memory/1940-8-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-6-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-9-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-10-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-28-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-16-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-29-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-34-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-15-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-17-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-35-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-36-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-37-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-38-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-43-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-41-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-46-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-59-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-60-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-61-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1940-63-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/3032-87-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3032-95-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3032-96-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3032-92-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3032-91-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3032-90-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3032-89-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3032-134-0x0000000000760000-0x000000000181A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57731d e5772af.exe File opened for modification C:\Windows\SYSTEM.INI e5772af.exe File created C:\Windows\e57dd31 e57b4e8.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5772af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577417.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b4e8.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1940 e5772af.exe 1940 e5772af.exe 1940 e5772af.exe 1940 e5772af.exe 3032 e57b4e8.exe 3032 e57b4e8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe Token: SeDebugPrivilege 1940 e5772af.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 3208 wrote to memory of 1268 3208 rundll32.exe 82 PID 3208 wrote to memory of 1268 3208 rundll32.exe 82 PID 3208 wrote to memory of 1268 3208 rundll32.exe 82 PID 1268 wrote to memory of 1940 1268 rundll32.exe 83 PID 1268 wrote to memory of 1940 1268 rundll32.exe 83 PID 1268 wrote to memory of 1940 1268 rundll32.exe 83 PID 1940 wrote to memory of 800 1940 e5772af.exe 9 PID 1940 wrote to memory of 808 1940 e5772af.exe 10 PID 1940 wrote to memory of 412 1940 e5772af.exe 13 PID 1940 wrote to memory of 2540 1940 e5772af.exe 42 PID 1940 wrote to memory of 2572 1940 e5772af.exe 43 PID 1940 wrote to memory of 2836 1940 e5772af.exe 49 PID 1940 wrote to memory of 3448 1940 e5772af.exe 56 PID 1940 wrote to memory of 3608 1940 e5772af.exe 57 PID 1940 wrote to memory of 3792 1940 e5772af.exe 58 PID 1940 wrote to memory of 3884 1940 e5772af.exe 59 PID 1940 wrote to memory of 3948 1940 e5772af.exe 60 PID 1940 wrote to memory of 4036 1940 e5772af.exe 61 PID 1940 wrote to memory of 3068 1940 e5772af.exe 74 PID 1940 wrote to memory of 3628 1940 e5772af.exe 76 PID 1940 wrote to memory of 3208 1940 e5772af.exe 81 PID 1940 wrote to memory of 1268 1940 e5772af.exe 82 PID 1940 wrote to memory of 1268 1940 e5772af.exe 82 PID 1268 wrote to memory of 1604 1268 rundll32.exe 84 PID 1268 wrote to memory of 1604 1268 rundll32.exe 84 PID 1268 wrote to memory of 1604 1268 rundll32.exe 84 PID 1940 wrote to memory of 800 1940 e5772af.exe 9 PID 1940 wrote to memory of 808 1940 e5772af.exe 10 PID 1940 wrote to memory of 412 1940 e5772af.exe 13 PID 1940 wrote to memory of 2540 1940 e5772af.exe 42 PID 1940 wrote to memory of 2572 1940 e5772af.exe 43 PID 1940 wrote to memory of 2836 1940 e5772af.exe 49 PID 1940 wrote to memory of 3448 1940 e5772af.exe 56 PID 1940 wrote to memory of 3608 1940 e5772af.exe 57 PID 1940 wrote to memory of 3792 1940 e5772af.exe 58 PID 1940 wrote to memory of 3884 1940 e5772af.exe 59 PID 1940 wrote to memory of 3948 1940 e5772af.exe 60 PID 1940 wrote to memory of 4036 1940 e5772af.exe 61 PID 1940 wrote to memory of 3068 1940 e5772af.exe 74 PID 1940 wrote to memory of 3628 1940 e5772af.exe 76 PID 1940 wrote to memory of 3208 1940 e5772af.exe 81 PID 1940 wrote to memory of 1604 1940 e5772af.exe 84 PID 1940 wrote to memory of 1604 1940 e5772af.exe 84 PID 1268 wrote to memory of 3032 1268 rundll32.exe 85 PID 1268 wrote to memory of 3032 1268 rundll32.exe 85 PID 1268 wrote to memory of 3032 1268 rundll32.exe 85 PID 3032 wrote to memory of 800 3032 e57b4e8.exe 9 PID 3032 wrote to memory of 808 3032 e57b4e8.exe 10 PID 3032 wrote to memory of 412 3032 e57b4e8.exe 13 PID 3032 wrote to memory of 2540 3032 e57b4e8.exe 42 PID 3032 wrote to memory of 2572 3032 e57b4e8.exe 43 PID 3032 wrote to memory of 2836 3032 e57b4e8.exe 49 PID 3032 wrote to memory of 3448 3032 e57b4e8.exe 56 PID 3032 wrote to memory of 3608 3032 e57b4e8.exe 57 PID 3032 wrote to memory of 3792 3032 e57b4e8.exe 58 PID 3032 wrote to memory of 3884 3032 e57b4e8.exe 59 PID 3032 wrote to memory of 3948 3032 e57b4e8.exe 60 PID 3032 wrote to memory of 4036 3032 e57b4e8.exe 61 PID 3032 wrote to memory of 3068 3032 e57b4e8.exe 74 PID 3032 wrote to memory of 3628 3032 e57b4e8.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b4e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5772af.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:412
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2836
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3d95106e162b5f89209c068c66a14c980ff64f6983e7c5dbf96325520613455N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3d95106e162b5f89209c068c66a14c980ff64f6983e7c5dbf96325520613455N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\e5772af.exeC:\Users\Admin\AppData\Local\Temp\e5772af.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\e577417.exeC:\Users\Admin\AppData\Local\Temp\e577417.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\e57b4e8.exeC:\Users\Admin\AppData\Local\Temp\e57b4e8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3628
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD50a5486342a2eb46f0b9ba5119e55ab95
SHA17a6c6160991aba743aae23524ab2358002e6920f
SHA256b2e0a0c5ecfe1af730d855fca9af3c06f1158859c335f80076491169a1ab221a
SHA512321912ce7b1bf9e779b75c24c4f7994ccd58c3d70503bd18af6d2285c024337ecc8c66e6e3357127ed5781ce68cae43ab1d00b741f3ef7f1140c4a565557152f
-
Filesize
257B
MD53f83690c871ee813f298c8f965bb3cdc
SHA17ca30e9286e0ecb0d7ac3040ef6261d4b84035b2
SHA256a9305022026ce5dd036bb02550bf33949f03ad38ce801327c919d056435cc52e
SHA512e61a787ddaa5971bfc21f1a58c656502bf67e509943f9132a8f77da4e949c9c2eba421fd94544ab29a82a19d007f192ae97abef7a82fc93b1cd458422463b0ad