Analysis
-
max time kernel
93s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 00:25
Static task
static1
Behavioral task
behavioral1
Sample
6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe
Resource
win7-20241010-en
General
-
Target
6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe
-
Size
417KB
-
MD5
ab36f011716ff8c3035c7201689f6896
-
SHA1
3cb1fdd41fa4fd02faef7fccddc3d7aa62f83097
-
SHA256
6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894
-
SHA512
c2fe8867855be40f5e9551a3c89957f8d14808de83908dbe305dcc65c4f9c55dc55badd11cc1b38f1f7d33c521c20c9d124c3590ec823537d3d83a794415661d
-
SSDEEP
6144:GWb6GdYJGY1CLKd6Gr5xZH8XL7k19X0eTLE9AIHR1y9X9bk/0fkU/ADpWE67:GWbvhLq6y3H8X3k1liabe0fk2AD8d
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
resource yara_rule behavioral2/memory/3800-1-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/3800-3-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/3800-4-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/3800-5-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/3800-8-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/3800-19-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/3800-10-0x0000000002370000-0x000000000342A000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp AdobeARM.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup AdobeARM.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57c3cd 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe File opened for modification C:\Windows\SYSTEM.INI 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeARM.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe Token: SeDebugPrivilege 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2984 AdobeARM.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3800 wrote to memory of 788 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 8 PID 3800 wrote to memory of 792 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 9 PID 3800 wrote to memory of 372 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 13 PID 3800 wrote to memory of 2940 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 50 PID 3800 wrote to memory of 3052 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 51 PID 3800 wrote to memory of 1108 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 53 PID 3800 wrote to memory of 3436 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 56 PID 3800 wrote to memory of 3560 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 57 PID 3800 wrote to memory of 3748 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 58 PID 3800 wrote to memory of 3836 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 59 PID 3800 wrote to memory of 3900 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 60 PID 3800 wrote to memory of 3984 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 61 PID 3800 wrote to memory of 3872 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 62 PID 3800 wrote to memory of 5016 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 75 PID 3800 wrote to memory of 880 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 76 PID 3800 wrote to memory of 3064 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 77 PID 3800 wrote to memory of 3456 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 78 PID 3800 wrote to memory of 2984 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 84 PID 3800 wrote to memory of 2984 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 84 PID 3800 wrote to memory of 2984 3800 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe 84 PID 2984 wrote to memory of 1556 2984 AdobeARM.exe 93 PID 2984 wrote to memory of 1556 2984 AdobeARM.exe 93 PID 2984 wrote to memory of 1556 2984 AdobeARM.exe 93 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:372
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3052
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe"C:\Users\Admin\AppData\Local\Temp\6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3800 -
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"4⤵PID:1556
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3456
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358B
MD5e06bd93e792698963f8a2b8bfd3aac0f
SHA1db9c5ba11c437c6fe5aa93fcfff0eac106d18f06
SHA256877287c4b272c02e0c5f0ab7d9b5c36f5ad8847310ef46226d43a6e745bd860a
SHA51202209808cca202871ab8978871427332fc50577e7f2804d7b77c78951bcf75351eea3d509ac50f1bc03bcb793ad0c7b64f72b677cb5b5a40aca84cf1af360b4e
-
Filesize
251KB
MD5864c22fb9a1c0670edf01c6ed3e4fbe4
SHA1bf636f8baed998a1eb4531af9e833e6d3d8df129
SHA256b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0
SHA512ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09
-
Filesize
3KB
MD5ec946860cff4f4a6d325a8de7d6254d2
SHA17c909f646d9b2d23c58f73ec2bb603cd59dc11fd
SHA25619fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe
SHA51238a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e
-
Filesize
3KB
MD5fc2430057cb1be74c788f10c2d4540c8
SHA1cab67ee8d5191fbf9f25545825e06c1a822af2f2
SHA256dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398
SHA5124e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee
-
Filesize
3KB
MD5a58599260c64cb41ed7d156db8ac13ef
SHA1fb9396eb1270e9331456a646ebf1419fc283dc06
SHA256aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2
SHA5126970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71
-
Filesize
3KB
MD5bbb796dd2b53f7fb7ce855bb39535e2f
SHA1dfb022a179775c82893fe8c4f59df8f6d19bd2fd
SHA256ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b
SHA5120d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b