Analysis
-
max time kernel
31s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
9f654aea4a71e48f243c331ba5521140f6112876e4bfbb176ae937164d635809N.dll
Resource
win7-20240903-en
General
-
Target
9f654aea4a71e48f243c331ba5521140f6112876e4bfbb176ae937164d635809N.dll
-
Size
120KB
-
MD5
494bcb8d7582ebb85e89c0221909dcc0
-
SHA1
f697aecad6f34791158fcc7ba39ce7dbbedc7fb8
-
SHA256
9f654aea4a71e48f243c331ba5521140f6112876e4bfbb176ae937164d635809
-
SHA512
9682b50cf879c58bd1d0962df8b3debebe3548217acd63edcc2a1524e42891e267519073823431976f6364e825f6b7fb4c2df89e2f31709e785720d1f8e3f1bd
-
SSDEEP
1536:Y50oQpEBDumiJhOmFIpcI4LwJmhj71rubaRYP57X2ppwbxggZx6BN:EK8/iJApLJmV7Va6vfR3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b371.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578c90.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578c90.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b371.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b371.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b371.exe -
Executes dropped EXE 3 IoCs
pid Process 3924 e578c90.exe 936 e578f6f.exe 448 e57b371.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578c90.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b371.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b371.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b371.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e578c90.exe File opened (read-only) \??\J: e578c90.exe File opened (read-only) \??\K: e578c90.exe File opened (read-only) \??\M: e578c90.exe File opened (read-only) \??\G: e57b371.exe File opened (read-only) \??\I: e57b371.exe File opened (read-only) \??\E: e578c90.exe File opened (read-only) \??\G: e578c90.exe File opened (read-only) \??\I: e578c90.exe File opened (read-only) \??\L: e578c90.exe File opened (read-only) \??\E: e57b371.exe File opened (read-only) \??\H: e57b371.exe -
resource yara_rule behavioral2/memory/3924-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-19-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-21-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-22-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-18-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-20-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-41-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-58-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-61-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-64-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-67-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-68-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-70-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3924-74-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/448-112-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/448-145-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578d0d e578c90.exe File opened for modification C:\Windows\SYSTEM.INI e578c90.exe File created C:\Windows\e57e06d e57b371.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578c90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578f6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b371.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3924 e578c90.exe 3924 e578c90.exe 3924 e578c90.exe 3924 e578c90.exe 448 e57b371.exe 448 e57b371.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe Token: SeDebugPrivilege 3924 e578c90.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 976 wrote to memory of 2844 976 rundll32.exe 83 PID 976 wrote to memory of 2844 976 rundll32.exe 83 PID 976 wrote to memory of 2844 976 rundll32.exe 83 PID 2844 wrote to memory of 3924 2844 rundll32.exe 84 PID 2844 wrote to memory of 3924 2844 rundll32.exe 84 PID 2844 wrote to memory of 3924 2844 rundll32.exe 84 PID 3924 wrote to memory of 800 3924 e578c90.exe 9 PID 3924 wrote to memory of 808 3924 e578c90.exe 10 PID 3924 wrote to memory of 388 3924 e578c90.exe 13 PID 3924 wrote to memory of 2828 3924 e578c90.exe 49 PID 3924 wrote to memory of 2876 3924 e578c90.exe 50 PID 3924 wrote to memory of 2884 3924 e578c90.exe 52 PID 3924 wrote to memory of 3504 3924 e578c90.exe 56 PID 3924 wrote to memory of 3624 3924 e578c90.exe 57 PID 3924 wrote to memory of 3824 3924 e578c90.exe 58 PID 3924 wrote to memory of 3916 3924 e578c90.exe 59 PID 3924 wrote to memory of 3980 3924 e578c90.exe 60 PID 3924 wrote to memory of 4076 3924 e578c90.exe 61 PID 3924 wrote to memory of 2696 3924 e578c90.exe 62 PID 3924 wrote to memory of 1644 3924 e578c90.exe 75 PID 3924 wrote to memory of 2960 3924 e578c90.exe 76 PID 3924 wrote to memory of 3528 3924 e578c90.exe 81 PID 3924 wrote to memory of 976 3924 e578c90.exe 82 PID 3924 wrote to memory of 2844 3924 e578c90.exe 83 PID 3924 wrote to memory of 2844 3924 e578c90.exe 83 PID 2844 wrote to memory of 936 2844 rundll32.exe 85 PID 2844 wrote to memory of 936 2844 rundll32.exe 85 PID 2844 wrote to memory of 936 2844 rundll32.exe 85 PID 2844 wrote to memory of 448 2844 rundll32.exe 86 PID 2844 wrote to memory of 448 2844 rundll32.exe 86 PID 2844 wrote to memory of 448 2844 rundll32.exe 86 PID 3924 wrote to memory of 800 3924 e578c90.exe 9 PID 3924 wrote to memory of 808 3924 e578c90.exe 10 PID 3924 wrote to memory of 388 3924 e578c90.exe 13 PID 3924 wrote to memory of 2828 3924 e578c90.exe 49 PID 3924 wrote to memory of 2876 3924 e578c90.exe 50 PID 3924 wrote to memory of 2884 3924 e578c90.exe 52 PID 3924 wrote to memory of 3504 3924 e578c90.exe 56 PID 3924 wrote to memory of 3624 3924 e578c90.exe 57 PID 3924 wrote to memory of 3824 3924 e578c90.exe 58 PID 3924 wrote to memory of 3916 3924 e578c90.exe 59 PID 3924 wrote to memory of 3980 3924 e578c90.exe 60 PID 3924 wrote to memory of 4076 3924 e578c90.exe 61 PID 3924 wrote to memory of 2696 3924 e578c90.exe 62 PID 3924 wrote to memory of 1644 3924 e578c90.exe 75 PID 3924 wrote to memory of 2960 3924 e578c90.exe 76 PID 3924 wrote to memory of 3528 3924 e578c90.exe 81 PID 3924 wrote to memory of 936 3924 e578c90.exe 85 PID 3924 wrote to memory of 936 3924 e578c90.exe 85 PID 3924 wrote to memory of 448 3924 e578c90.exe 86 PID 3924 wrote to memory of 448 3924 e578c90.exe 86 PID 448 wrote to memory of 800 448 e57b371.exe 9 PID 448 wrote to memory of 808 448 e57b371.exe 10 PID 448 wrote to memory of 388 448 e57b371.exe 13 PID 448 wrote to memory of 2828 448 e57b371.exe 49 PID 448 wrote to memory of 2876 448 e57b371.exe 50 PID 448 wrote to memory of 2884 448 e57b371.exe 52 PID 448 wrote to memory of 3504 448 e57b371.exe 56 PID 448 wrote to memory of 3624 448 e57b371.exe 57 PID 448 wrote to memory of 3824 448 e57b371.exe 58 PID 448 wrote to memory of 3916 448 e57b371.exe 59 PID 448 wrote to memory of 3980 448 e57b371.exe 60 PID 448 wrote to memory of 4076 448 e57b371.exe 61 PID 448 wrote to memory of 2696 448 e57b371.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578c90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b371.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2876
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2884
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f654aea4a71e48f243c331ba5521140f6112876e4bfbb176ae937164d635809N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f654aea4a71e48f243c331ba5521140f6112876e4bfbb176ae937164d635809N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\e578c90.exeC:\Users\Admin\AppData\Local\Temp\e578c90.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3924
-
-
C:\Users\Admin\AppData\Local\Temp\e578f6f.exeC:\Users\Admin\AppData\Local\Temp\e578f6f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936
-
-
C:\Users\Admin\AppData\Local\Temp\e57b371.exeC:\Users\Admin\AppData\Local\Temp\e57b371.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:448
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2696
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1644
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2960
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3528
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e492871c8530bca5b5da874769aa0185
SHA128ea6dbab3f3e2b73913772c0f618587c601bcf4
SHA25662b6bfead12bd27bd7037d05e3287d5ba9709a591505b585d9f3058046c4130b
SHA512b61586dc9401097206a6dccce605e50b9eae6bc5d8aa3dd6866ce641d9e3066da46108322d4881900ca18ccd3c5d329b56b7289696866f880bf4bb54d3ed384e
-
Filesize
257B
MD531247258084b9c561df9b82b753e3283
SHA1fdc0e865c45e01712cb08a2dbc8a7a811fc35718
SHA25691939139e7c7892387ebd824055a4bf7d32ce8e407d45aad572dca13be2a7ff8
SHA51274d2d9568c58532bbab7768f6a1d1e675437170be6f296bcdd2d1d820ccd554d61b67f5a264189831667150cfc24aa50dcba97d579c983b0ac345275349ad891