Analysis
-
max time kernel
31s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 04:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
56ef628235d79e1e0ba97b5799741ce7baececa70ada39359886b8edadcd7b54.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
56ef628235d79e1e0ba97b5799741ce7baececa70ada39359886b8edadcd7b54.dll
-
Size
120KB
-
MD5
f19196937de973f9268ecd8f6ca26c8f
-
SHA1
d6d1657ad48f1bfea960e212b9432eee61c126b5
-
SHA256
56ef628235d79e1e0ba97b5799741ce7baececa70ada39359886b8edadcd7b54
-
SHA512
aa2c109a08ab5f8354133b6b50c49dbdd573b1fb8e9f1ae87a8d52fa898c80ee2f2e659db4ecf7f949519a501a4a84c4bdd8b79de4c98c648c70800130ca23e2
-
SSDEEP
3072:zdpHLGyQBVcoHoMcv0+dtsyHRd1wnEyXeed:fLW2KoMA0+dtLXOnfxd
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578916.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578916.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b65f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b65f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b65f.exe -
Executes dropped EXE 3 IoCs
pid Process 2236 e578916.exe 116 e578a3e.exe 3384 e57b65f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b65f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b65f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b65f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578916.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b65f.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e578916.exe File opened (read-only) \??\G: e57b65f.exe File opened (read-only) \??\J: e57b65f.exe File opened (read-only) \??\E: e578916.exe File opened (read-only) \??\G: e578916.exe File opened (read-only) \??\J: e578916.exe File opened (read-only) \??\H: e578916.exe File opened (read-only) \??\N: e578916.exe File opened (read-only) \??\I: e57b65f.exe File opened (read-only) \??\E: e57b65f.exe File opened (read-only) \??\H: e57b65f.exe File opened (read-only) \??\I: e578916.exe File opened (read-only) \??\L: e578916.exe File opened (read-only) \??\M: e578916.exe -
resource yara_rule behavioral2/memory/2236-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-22-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-29-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-34-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-32-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-19-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-11-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-39-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-45-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-55-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-57-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-59-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-60-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-62-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-63-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-66-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-68-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2236-73-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3384-112-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3384-146-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3384-147-0x00000000008A0000-0x000000000195A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578993 e578916.exe File opened for modification C:\Windows\SYSTEM.INI e578916.exe File created C:\Windows\e57dd9e e57b65f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578916.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578a3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b65f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2236 e578916.exe 2236 e578916.exe 2236 e578916.exe 2236 e578916.exe 3384 e57b65f.exe 3384 e57b65f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe Token: SeDebugPrivilege 2236 e578916.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 4884 2228 rundll32.exe 84 PID 2228 wrote to memory of 4884 2228 rundll32.exe 84 PID 2228 wrote to memory of 4884 2228 rundll32.exe 84 PID 4884 wrote to memory of 2236 4884 rundll32.exe 85 PID 4884 wrote to memory of 2236 4884 rundll32.exe 85 PID 4884 wrote to memory of 2236 4884 rundll32.exe 85 PID 2236 wrote to memory of 800 2236 e578916.exe 8 PID 2236 wrote to memory of 808 2236 e578916.exe 9 PID 2236 wrote to memory of 376 2236 e578916.exe 13 PID 2236 wrote to memory of 2724 2236 e578916.exe 45 PID 2236 wrote to memory of 2824 2236 e578916.exe 50 PID 2236 wrote to memory of 2068 2236 e578916.exe 51 PID 2236 wrote to memory of 3508 2236 e578916.exe 56 PID 2236 wrote to memory of 3612 2236 e578916.exe 57 PID 2236 wrote to memory of 3800 2236 e578916.exe 58 PID 2236 wrote to memory of 3908 2236 e578916.exe 59 PID 2236 wrote to memory of 3972 2236 e578916.exe 60 PID 2236 wrote to memory of 4080 2236 e578916.exe 61 PID 2236 wrote to memory of 4152 2236 e578916.exe 62 PID 2236 wrote to memory of 4328 2236 e578916.exe 73 PID 2236 wrote to memory of 4388 2236 e578916.exe 75 PID 2236 wrote to memory of 3700 2236 e578916.exe 77 PID 2236 wrote to memory of 4564 2236 e578916.exe 82 PID 2236 wrote to memory of 2228 2236 e578916.exe 83 PID 2236 wrote to memory of 4884 2236 e578916.exe 84 PID 2236 wrote to memory of 4884 2236 e578916.exe 84 PID 4884 wrote to memory of 116 4884 rundll32.exe 86 PID 4884 wrote to memory of 116 4884 rundll32.exe 86 PID 4884 wrote to memory of 116 4884 rundll32.exe 86 PID 2236 wrote to memory of 800 2236 e578916.exe 8 PID 2236 wrote to memory of 808 2236 e578916.exe 9 PID 2236 wrote to memory of 376 2236 e578916.exe 13 PID 2236 wrote to memory of 2724 2236 e578916.exe 45 PID 2236 wrote to memory of 2824 2236 e578916.exe 50 PID 2236 wrote to memory of 2068 2236 e578916.exe 51 PID 2236 wrote to memory of 3508 2236 e578916.exe 56 PID 2236 wrote to memory of 3612 2236 e578916.exe 57 PID 2236 wrote to memory of 3800 2236 e578916.exe 58 PID 2236 wrote to memory of 3908 2236 e578916.exe 59 PID 2236 wrote to memory of 3972 2236 e578916.exe 60 PID 2236 wrote to memory of 4080 2236 e578916.exe 61 PID 2236 wrote to memory of 4152 2236 e578916.exe 62 PID 2236 wrote to memory of 4328 2236 e578916.exe 73 PID 2236 wrote to memory of 4388 2236 e578916.exe 75 PID 2236 wrote to memory of 3700 2236 e578916.exe 77 PID 2236 wrote to memory of 4564 2236 e578916.exe 82 PID 2236 wrote to memory of 2228 2236 e578916.exe 83 PID 2236 wrote to memory of 116 2236 e578916.exe 86 PID 2236 wrote to memory of 116 2236 e578916.exe 86 PID 4884 wrote to memory of 3384 4884 rundll32.exe 87 PID 4884 wrote to memory of 3384 4884 rundll32.exe 87 PID 4884 wrote to memory of 3384 4884 rundll32.exe 87 PID 3384 wrote to memory of 800 3384 e57b65f.exe 8 PID 3384 wrote to memory of 808 3384 e57b65f.exe 9 PID 3384 wrote to memory of 376 3384 e57b65f.exe 13 PID 3384 wrote to memory of 2724 3384 e57b65f.exe 45 PID 3384 wrote to memory of 2824 3384 e57b65f.exe 50 PID 3384 wrote to memory of 2068 3384 e57b65f.exe 51 PID 3384 wrote to memory of 3508 3384 e57b65f.exe 56 PID 3384 wrote to memory of 3612 3384 e57b65f.exe 57 PID 3384 wrote to memory of 3800 3384 e57b65f.exe 58 PID 3384 wrote to memory of 3908 3384 e57b65f.exe 59 PID 3384 wrote to memory of 3972 3384 e57b65f.exe 60 PID 3384 wrote to memory of 4080 3384 e57b65f.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578916.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b65f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2824
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56ef628235d79e1e0ba97b5799741ce7baececa70ada39359886b8edadcd7b54.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56ef628235d79e1e0ba97b5799741ce7baececa70ada39359886b8edadcd7b54.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\e578916.exeC:\Users\Admin\AppData\Local\Temp\e578916.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\e578a3e.exeC:\Users\Admin\AppData\Local\Temp\e578a3e.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:116
-
-
C:\Users\Admin\AppData\Local\Temp\e57b65f.exeC:\Users\Admin\AppData\Local\Temp\e57b65f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3384
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4152
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4328
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4388
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3700
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4564
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58f70134d81bfba4f0b29f8912dcf93d3
SHA1af09ca9698e13004f4fd27f6e70cf9070885d47f
SHA25664ae92cdb27e6720e82c2382d1ff295568784d65cd4461348a463fdb107941f1
SHA512957e53ad8010021e675677f350cef699b19a909c1f5369b091f8d726e780ec21aea6d7396effbc0476aa8b46c13afaae88aee7a47d2fdeca40600f32852a53dc
-
Filesize
257B
MD5d5138071637d4d8d58a57022c71b5985
SHA16fabd2f7aa16e5cdd194cf866882db0c57cb1f31
SHA256f724fb1d481a78bf0a86253f039474e261b088fcf3af39a98fa59e0a0f103fe2
SHA5126ed91d5bc58dd7b04256a330cc8393892fcc3bafef9da35b8c7ac48a0a7928cdbacb15b62df823e9178f481d730861c06471759fd047d1ab1cb3dbd69bb36363