Analysis
-
max time kernel
33s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:54
Static task
static1
Behavioral task
behavioral1
Sample
4be438b2007262fba5d5c69ba3dc9d31d8a08c4f36444e9d7b64273cd45daa3fN.dll
Resource
win7-20241010-en
General
-
Target
4be438b2007262fba5d5c69ba3dc9d31d8a08c4f36444e9d7b64273cd45daa3fN.dll
-
Size
120KB
-
MD5
3b392179cb5377bcbbcff7a1c15852d0
-
SHA1
c8fbb3818ecc26c24a72a3163ccb106cdf97c09d
-
SHA256
4be438b2007262fba5d5c69ba3dc9d31d8a08c4f36444e9d7b64273cd45daa3f
-
SHA512
f53b092518d2cf6caf26443eab5fe8d2ca555eb9c6b259947cc18fe92b1509b43796aa35ab4cc8217a64c391a3f36d204d33ba2cf5a971df034f47b4772d1efa
-
SSDEEP
3072:xjqM1EBflPZlfG63pVgwzBFNc3TRP15Da9d0:UMSXPZg6ZewFNc3TR9M
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579579.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579579.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c92c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579579.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579579.exe -
Executes dropped EXE 4 IoCs
pid Process 932 e579579.exe 2376 e5796f0.exe 3276 e57c92c.exe 3492 e57c93b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579579.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c92c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579579.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c92c.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57c92c.exe File opened (read-only) \??\H: e57c92c.exe File opened (read-only) \??\E: e579579.exe File opened (read-only) \??\I: e579579.exe File opened (read-only) \??\K: e579579.exe File opened (read-only) \??\L: e579579.exe File opened (read-only) \??\M: e579579.exe File opened (read-only) \??\E: e57c92c.exe File opened (read-only) \??\G: e579579.exe File opened (read-only) \??\H: e579579.exe File opened (read-only) \??\J: e579579.exe File opened (read-only) \??\I: e57c92c.exe File opened (read-only) \??\J: e57c92c.exe -
resource yara_rule behavioral2/memory/932-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-30-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-29-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-25-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-33-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-46-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-59-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-60-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-63-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-64-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-66-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-68-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-70-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/932-73-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/3276-96-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3276-154-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3276-156-0x0000000000760000-0x000000000181A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579654 e579579.exe File opened for modification C:\Windows\SYSTEM.INI e579579.exe File created C:\Windows\e57f06b e57c92c.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579579.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5796f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c92c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c93b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 932 e579579.exe 932 e579579.exe 932 e579579.exe 932 e579579.exe 3276 e57c92c.exe 3276 e57c92c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe Token: SeDebugPrivilege 932 e579579.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 4184 2808 rundll32.exe 82 PID 2808 wrote to memory of 4184 2808 rundll32.exe 82 PID 2808 wrote to memory of 4184 2808 rundll32.exe 82 PID 4184 wrote to memory of 932 4184 rundll32.exe 83 PID 4184 wrote to memory of 932 4184 rundll32.exe 83 PID 4184 wrote to memory of 932 4184 rundll32.exe 83 PID 932 wrote to memory of 780 932 e579579.exe 8 PID 932 wrote to memory of 784 932 e579579.exe 9 PID 932 wrote to memory of 376 932 e579579.exe 13 PID 932 wrote to memory of 2584 932 e579579.exe 42 PID 932 wrote to memory of 2596 932 e579579.exe 43 PID 932 wrote to memory of 2708 932 e579579.exe 45 PID 932 wrote to memory of 3508 932 e579579.exe 56 PID 932 wrote to memory of 3668 932 e579579.exe 57 PID 932 wrote to memory of 3864 932 e579579.exe 58 PID 932 wrote to memory of 3964 932 e579579.exe 59 PID 932 wrote to memory of 4068 932 e579579.exe 60 PID 932 wrote to memory of 2472 932 e579579.exe 61 PID 932 wrote to memory of 4116 932 e579579.exe 62 PID 932 wrote to memory of 1696 932 e579579.exe 75 PID 932 wrote to memory of 2168 932 e579579.exe 76 PID 932 wrote to memory of 2808 932 e579579.exe 81 PID 932 wrote to memory of 4184 932 e579579.exe 82 PID 932 wrote to memory of 4184 932 e579579.exe 82 PID 4184 wrote to memory of 2376 4184 rundll32.exe 84 PID 4184 wrote to memory of 2376 4184 rundll32.exe 84 PID 4184 wrote to memory of 2376 4184 rundll32.exe 84 PID 932 wrote to memory of 780 932 e579579.exe 8 PID 932 wrote to memory of 784 932 e579579.exe 9 PID 932 wrote to memory of 376 932 e579579.exe 13 PID 932 wrote to memory of 2584 932 e579579.exe 42 PID 932 wrote to memory of 2596 932 e579579.exe 43 PID 932 wrote to memory of 2708 932 e579579.exe 45 PID 932 wrote to memory of 3508 932 e579579.exe 56 PID 932 wrote to memory of 3668 932 e579579.exe 57 PID 932 wrote to memory of 3864 932 e579579.exe 58 PID 932 wrote to memory of 3964 932 e579579.exe 59 PID 932 wrote to memory of 4068 932 e579579.exe 60 PID 932 wrote to memory of 2472 932 e579579.exe 61 PID 932 wrote to memory of 4116 932 e579579.exe 62 PID 932 wrote to memory of 1696 932 e579579.exe 75 PID 932 wrote to memory of 2168 932 e579579.exe 76 PID 932 wrote to memory of 2808 932 e579579.exe 81 PID 932 wrote to memory of 2376 932 e579579.exe 84 PID 932 wrote to memory of 2376 932 e579579.exe 84 PID 4184 wrote to memory of 3276 4184 rundll32.exe 85 PID 4184 wrote to memory of 3276 4184 rundll32.exe 85 PID 4184 wrote to memory of 3276 4184 rundll32.exe 85 PID 4184 wrote to memory of 3492 4184 rundll32.exe 86 PID 4184 wrote to memory of 3492 4184 rundll32.exe 86 PID 4184 wrote to memory of 3492 4184 rundll32.exe 86 PID 3276 wrote to memory of 780 3276 e57c92c.exe 8 PID 3276 wrote to memory of 784 3276 e57c92c.exe 9 PID 3276 wrote to memory of 376 3276 e57c92c.exe 13 PID 3276 wrote to memory of 2584 3276 e57c92c.exe 42 PID 3276 wrote to memory of 2596 3276 e57c92c.exe 43 PID 3276 wrote to memory of 2708 3276 e57c92c.exe 45 PID 3276 wrote to memory of 3508 3276 e57c92c.exe 56 PID 3276 wrote to memory of 3668 3276 e57c92c.exe 57 PID 3276 wrote to memory of 3864 3276 e57c92c.exe 58 PID 3276 wrote to memory of 3964 3276 e57c92c.exe 59 PID 3276 wrote to memory of 4068 3276 e57c92c.exe 60 PID 3276 wrote to memory of 2472 3276 e57c92c.exe 61 PID 3276 wrote to memory of 4116 3276 e57c92c.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c92c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579579.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2596
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2708
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4be438b2007262fba5d5c69ba3dc9d31d8a08c4f36444e9d7b64273cd45daa3fN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4be438b2007262fba5d5c69ba3dc9d31d8a08c4f36444e9d7b64273cd45daa3fN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\e579579.exeC:\Users\Admin\AppData\Local\Temp\e579579.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\e5796f0.exeC:\Users\Admin\AppData\Local\Temp\e5796f0.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\e57c92c.exeC:\Users\Admin\AppData\Local\Temp\e57c92c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\e57c93b.exeC:\Users\Admin\AppData\Local\Temp\e57c93b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3492
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4068
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2472
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4116
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1696
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2168
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD50bf0d5e711d637c47dd8b8f513e3f1f1
SHA1bd39d7f230f04e82f08e200aa71b1a6d71006a38
SHA25697578c0b9cc12c84622301cd14a9e5fbfad0a2ca9c67e112222a4887f84d1c7b
SHA51214d7340b85ec8790c373d15d84803cc8db8427be18565715de3c6d4900f17e39370f8a5282bd260330012bb3ac28bb788fcf22725550b60d69c192c378049983
-
Filesize
256B
MD5f9e9a9da388544edfd0721763b1a47bf
SHA1febca9a8652514378e0f60d98f189484fc01fe1f
SHA256a7d1a377d96654d10271746b7bc1a374fd312ae024c503c9784e86e3afa5478a
SHA512a60258e4c3b4327b2a155fb4049b21133524e3607d281e4f86b7539e1aad079caa534bd617787d03617aabe00b67179e42d04d0de81c6f44162bbf78d6a44454