Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 00:47
Static task
static1
Behavioral task
behavioral1
Sample
a12b6edd4834221137d67aac8f208b9d30e5e36c9dc8f95f7f1561d8ffb3a28eN.dll
Resource
win7-20240903-en
General
-
Target
a12b6edd4834221137d67aac8f208b9d30e5e36c9dc8f95f7f1561d8ffb3a28eN.dll
-
Size
120KB
-
MD5
24ee250e7450d64727446d0cc9435ab0
-
SHA1
a4a7bc2720dfdd69a44872f42fd490c7cedcbd42
-
SHA256
a12b6edd4834221137d67aac8f208b9d30e5e36c9dc8f95f7f1561d8ffb3a28e
-
SHA512
d083b658e2e6e019355ae430c6f6f0d60b5e7eda0b5698497aecd7c37ea867d990dd12442a4d6320c0373a84ca85970d23c7266dc0deab02a3e94a826798ded5
-
SSDEEP
1536:P7cgpmQC8GP1gRG924QYSPzMBLxdLgekKUB/AXSl+p2qKAtHp8iFy+eMCJBh:Jz1GGRwQYSoxdgekHKil42VANp1F0h
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578fad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578fad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577426.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577426.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577426.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578fad.exe -
Executes dropped EXE 4 IoCs
pid Process 716 e577426.exe 2836 e5775bc.exe 4296 e578fad.exe 3088 e578fbd.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578fad.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577426.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fad.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e577426.exe File opened (read-only) \??\O: e577426.exe File opened (read-only) \??\S: e577426.exe File opened (read-only) \??\G: e577426.exe File opened (read-only) \??\H: e577426.exe File opened (read-only) \??\I: e577426.exe File opened (read-only) \??\K: e577426.exe File opened (read-only) \??\M: e577426.exe File opened (read-only) \??\N: e577426.exe File opened (read-only) \??\E: e577426.exe File opened (read-only) \??\J: e577426.exe File opened (read-only) \??\P: e577426.exe File opened (read-only) \??\Q: e577426.exe File opened (read-only) \??\R: e577426.exe -
resource yara_rule behavioral2/memory/716-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-14-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-24-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-59-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-75-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-77-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-81-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-82-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-84-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-86-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-89-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-91-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-95-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/716-100-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4296-138-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4296-148-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe e577426.exe File opened for modification C:\Program Files\7-Zip\7z.exe e577426.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577426.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e577426.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577484 e577426.exe File opened for modification C:\Windows\SYSTEM.INI e577426.exe File created C:\Windows\e57de0c e578fad.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5775bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578fad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578fbd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 716 e577426.exe 716 e577426.exe 716 e577426.exe 716 e577426.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe Token: SeDebugPrivilege 716 e577426.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3992 wrote to memory of 1068 3992 rundll32.exe 82 PID 3992 wrote to memory of 1068 3992 rundll32.exe 82 PID 3992 wrote to memory of 1068 3992 rundll32.exe 82 PID 1068 wrote to memory of 716 1068 rundll32.exe 83 PID 1068 wrote to memory of 716 1068 rundll32.exe 83 PID 1068 wrote to memory of 716 1068 rundll32.exe 83 PID 716 wrote to memory of 800 716 e577426.exe 9 PID 716 wrote to memory of 804 716 e577426.exe 10 PID 716 wrote to memory of 380 716 e577426.exe 13 PID 716 wrote to memory of 2940 716 e577426.exe 49 PID 716 wrote to memory of 2956 716 e577426.exe 50 PID 716 wrote to memory of 668 716 e577426.exe 52 PID 716 wrote to memory of 3444 716 e577426.exe 56 PID 716 wrote to memory of 3612 716 e577426.exe 57 PID 716 wrote to memory of 3792 716 e577426.exe 58 PID 716 wrote to memory of 3884 716 e577426.exe 59 PID 716 wrote to memory of 3944 716 e577426.exe 60 PID 716 wrote to memory of 4028 716 e577426.exe 61 PID 716 wrote to memory of 4100 716 e577426.exe 62 PID 716 wrote to memory of 2604 716 e577426.exe 74 PID 716 wrote to memory of 228 716 e577426.exe 76 PID 716 wrote to memory of 3992 716 e577426.exe 81 PID 716 wrote to memory of 1068 716 e577426.exe 82 PID 716 wrote to memory of 1068 716 e577426.exe 82 PID 1068 wrote to memory of 2836 1068 rundll32.exe 84 PID 1068 wrote to memory of 2836 1068 rundll32.exe 84 PID 1068 wrote to memory of 2836 1068 rundll32.exe 84 PID 1068 wrote to memory of 4296 1068 rundll32.exe 85 PID 1068 wrote to memory of 4296 1068 rundll32.exe 85 PID 1068 wrote to memory of 4296 1068 rundll32.exe 85 PID 1068 wrote to memory of 3088 1068 rundll32.exe 86 PID 1068 wrote to memory of 3088 1068 rundll32.exe 86 PID 1068 wrote to memory of 3088 1068 rundll32.exe 86 PID 716 wrote to memory of 800 716 e577426.exe 9 PID 716 wrote to memory of 804 716 e577426.exe 10 PID 716 wrote to memory of 380 716 e577426.exe 13 PID 716 wrote to memory of 2940 716 e577426.exe 49 PID 716 wrote to memory of 2956 716 e577426.exe 50 PID 716 wrote to memory of 668 716 e577426.exe 52 PID 716 wrote to memory of 3444 716 e577426.exe 56 PID 716 wrote to memory of 3612 716 e577426.exe 57 PID 716 wrote to memory of 3792 716 e577426.exe 58 PID 716 wrote to memory of 3884 716 e577426.exe 59 PID 716 wrote to memory of 3944 716 e577426.exe 60 PID 716 wrote to memory of 4028 716 e577426.exe 61 PID 716 wrote to memory of 4100 716 e577426.exe 62 PID 716 wrote to memory of 2604 716 e577426.exe 74 PID 716 wrote to memory of 228 716 e577426.exe 76 PID 716 wrote to memory of 2836 716 e577426.exe 84 PID 716 wrote to memory of 2836 716 e577426.exe 84 PID 716 wrote to memory of 4296 716 e577426.exe 85 PID 716 wrote to memory of 4296 716 e577426.exe 85 PID 716 wrote to memory of 3088 716 e577426.exe 86 PID 716 wrote to memory of 3088 716 e577426.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fad.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2956
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:668
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a12b6edd4834221137d67aac8f208b9d30e5e36c9dc8f95f7f1561d8ffb3a28eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a12b6edd4834221137d67aac8f208b9d30e5e36c9dc8f95f7f1561d8ffb3a28eN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\e577426.exeC:\Users\Admin\AppData\Local\Temp\e577426.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:716
-
-
C:\Users\Admin\AppData\Local\Temp\e5775bc.exeC:\Users\Admin\AppData\Local\Temp\e5775bc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\e578fad.exeC:\Users\Admin\AppData\Local\Temp\e578fad.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\e578fbd.exeC:\Users\Admin\AppData\Local\Temp\e578fbd.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:228
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56503a43e7b937e8411a83ce68aebc73e
SHA16a1ab64def3e31f1d7ab7c2179ecfeb629180a4f
SHA256cd907cf48bed6243f2f0e3bf9122129fe75318cc0545c60ac39c1c1dc1674221
SHA512d2f4b6a4c08b4a441382ef814c96a143961991b890f1389fb7c314bcb2277c3a1784a0c79d2dee4e97065b9d2d3d8309c10ae9e1abbdfd3f4867ae5e6533f46a
-
Filesize
257B
MD5f2bd9c9ca90ef6605ce2ea45fefd70a8
SHA10b301d250d2459265d7fe6c1cd7a7716d3bbc936
SHA256799773bc7ab44587d819284d59f5ccd1c8bf29a1d2795317b21c08683c95caaf
SHA51202cebf6c2248b92a3df36f26526871f02f440ea38ee41570f776a0fd7f24f19a10ae10811ef3a7c5dc3419e513f1e56c4c857c224a05e93bae03438d2ec20d6c