Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 06:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0a3403aeaca1740145b6a573807b17f1ff45c4d9df42ce273ea10322a905b57.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
c0a3403aeaca1740145b6a573807b17f1ff45c4d9df42ce273ea10322a905b57.dll
-
Size
120KB
-
MD5
91b196049ed55dd8e17b32469a448e27
-
SHA1
af0dae0840801ccf94e871967d3226c81bb9e18b
-
SHA256
c0a3403aeaca1740145b6a573807b17f1ff45c4d9df42ce273ea10322a905b57
-
SHA512
46f27067cca33b7f01e2e11127c5e11249ecb882675616e0b229a97a8641ac2ba0001b6bef84688518a3f34309ea9a6d8b41a2226d4779ade7f1a01964cc1d7d
-
SSDEEP
3072:xxn7I805Vidm9JghTwJ5KX9emMY2IIipb:xxn7tS0MKQIIi
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57926c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57926c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c2d3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2d3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c2d3.exe -
Executes dropped EXE 3 IoCs
pid Process 376 e57926c.exe 2164 e579422.exe 880 e57c2d3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57926c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c2d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c2d3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57926c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2d3.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57926c.exe File opened (read-only) \??\G: e57926c.exe File opened (read-only) \??\I: e57926c.exe File opened (read-only) \??\L: e57926c.exe File opened (read-only) \??\E: e57c2d3.exe File opened (read-only) \??\I: e57c2d3.exe File opened (read-only) \??\J: e57c2d3.exe File opened (read-only) \??\H: e57926c.exe File opened (read-only) \??\J: e57926c.exe File opened (read-only) \??\K: e57926c.exe File opened (read-only) \??\M: e57926c.exe File opened (read-only) \??\G: e57c2d3.exe File opened (read-only) \??\H: e57c2d3.exe -
resource yara_rule behavioral2/memory/376-8-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-9-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-6-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-11-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-28-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-12-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-10-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-29-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-25-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-34-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-36-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-37-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-35-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-38-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-39-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-40-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-53-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-54-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-56-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-58-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-59-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-61-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-62-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-64-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/376-85-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/880-99-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/880-125-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/880-149-0x0000000000780000-0x000000000183A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5792e9 e57926c.exe File opened for modification C:\Windows\SYSTEM.INI e57926c.exe File created C:\Windows\e57ea50 e57c2d3.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57926c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c2d3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 376 e57926c.exe 376 e57926c.exe 376 e57926c.exe 376 e57926c.exe 880 e57c2d3.exe 880 e57c2d3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe Token: SeDebugPrivilege 376 e57926c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4036 wrote to memory of 2588 4036 rundll32.exe 83 PID 4036 wrote to memory of 2588 4036 rundll32.exe 83 PID 4036 wrote to memory of 2588 4036 rundll32.exe 83 PID 2588 wrote to memory of 376 2588 rundll32.exe 84 PID 2588 wrote to memory of 376 2588 rundll32.exe 84 PID 2588 wrote to memory of 376 2588 rundll32.exe 84 PID 376 wrote to memory of 780 376 e57926c.exe 8 PID 376 wrote to memory of 788 376 e57926c.exe 9 PID 376 wrote to memory of 316 376 e57926c.exe 13 PID 376 wrote to memory of 2860 376 e57926c.exe 49 PID 376 wrote to memory of 2936 376 e57926c.exe 50 PID 376 wrote to memory of 2988 376 e57926c.exe 51 PID 376 wrote to memory of 3380 376 e57926c.exe 56 PID 376 wrote to memory of 3536 376 e57926c.exe 57 PID 376 wrote to memory of 3736 376 e57926c.exe 58 PID 376 wrote to memory of 3832 376 e57926c.exe 59 PID 376 wrote to memory of 3908 376 e57926c.exe 60 PID 376 wrote to memory of 3992 376 e57926c.exe 61 PID 376 wrote to memory of 4176 376 e57926c.exe 62 PID 376 wrote to memory of 372 376 e57926c.exe 75 PID 376 wrote to memory of 3624 376 e57926c.exe 76 PID 376 wrote to memory of 3452 376 e57926c.exe 81 PID 376 wrote to memory of 4036 376 e57926c.exe 82 PID 376 wrote to memory of 2588 376 e57926c.exe 83 PID 376 wrote to memory of 2588 376 e57926c.exe 83 PID 2588 wrote to memory of 2164 2588 rundll32.exe 85 PID 2588 wrote to memory of 2164 2588 rundll32.exe 85 PID 2588 wrote to memory of 2164 2588 rundll32.exe 85 PID 376 wrote to memory of 780 376 e57926c.exe 8 PID 376 wrote to memory of 788 376 e57926c.exe 9 PID 376 wrote to memory of 316 376 e57926c.exe 13 PID 376 wrote to memory of 2860 376 e57926c.exe 49 PID 376 wrote to memory of 2936 376 e57926c.exe 50 PID 376 wrote to memory of 2988 376 e57926c.exe 51 PID 376 wrote to memory of 3380 376 e57926c.exe 56 PID 376 wrote to memory of 3536 376 e57926c.exe 57 PID 376 wrote to memory of 3736 376 e57926c.exe 58 PID 376 wrote to memory of 3832 376 e57926c.exe 59 PID 376 wrote to memory of 3908 376 e57926c.exe 60 PID 376 wrote to memory of 3992 376 e57926c.exe 61 PID 376 wrote to memory of 4176 376 e57926c.exe 62 PID 376 wrote to memory of 372 376 e57926c.exe 75 PID 376 wrote to memory of 3624 376 e57926c.exe 76 PID 376 wrote to memory of 3452 376 e57926c.exe 81 PID 376 wrote to memory of 4036 376 e57926c.exe 82 PID 376 wrote to memory of 2164 376 e57926c.exe 85 PID 376 wrote to memory of 2164 376 e57926c.exe 85 PID 2588 wrote to memory of 880 2588 rundll32.exe 86 PID 2588 wrote to memory of 880 2588 rundll32.exe 86 PID 2588 wrote to memory of 880 2588 rundll32.exe 86 PID 880 wrote to memory of 780 880 e57c2d3.exe 8 PID 880 wrote to memory of 788 880 e57c2d3.exe 9 PID 880 wrote to memory of 316 880 e57c2d3.exe 13 PID 880 wrote to memory of 2860 880 e57c2d3.exe 49 PID 880 wrote to memory of 2936 880 e57c2d3.exe 50 PID 880 wrote to memory of 2988 880 e57c2d3.exe 51 PID 880 wrote to memory of 3380 880 e57c2d3.exe 56 PID 880 wrote to memory of 3536 880 e57c2d3.exe 57 PID 880 wrote to memory of 3736 880 e57c2d3.exe 58 PID 880 wrote to memory of 3832 880 e57c2d3.exe 59 PID 880 wrote to memory of 3908 880 e57c2d3.exe 60 PID 880 wrote to memory of 3992 880 e57c2d3.exe 61 PID 880 wrote to memory of 4176 880 e57c2d3.exe 62 PID 880 wrote to memory of 372 880 e57c2d3.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57926c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2936
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2988
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0a3403aeaca1740145b6a573807b17f1ff45c4d9df42ce273ea10322a905b57.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0a3403aeaca1740145b6a573807b17f1ff45c4d9df42ce273ea10322a905b57.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\e57926c.exeC:\Users\Admin\AppData\Local\Temp\e57926c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:376
-
-
C:\Users\Admin\AppData\Local\Temp\e579422.exeC:\Users\Admin\AppData\Local\Temp\e579422.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Users\Admin\AppData\Local\Temp\e57c2d3.exeC:\Users\Admin\AppData\Local\Temp\e57c2d3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:880
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3624
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3452
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD50512fe6438503bf94b5d77e84b30e4fa
SHA1afeab0ec78e755c9f5e031fa7005b2957d3d27c6
SHA256ec8434703c3d1c2575eb799e76e6a9b16011abff9a049b363fd703786952763c
SHA512a372170f743a6cb20be9a93b0e032fc85002ea4c3e54dc8273c474118fc6533f1b0ac055e762c65c2ce7b8f58860f2f2f616b384c0ccfa6a52df93272a06f0a7
-
Filesize
257B
MD50b27c110f0ac5cac277c4b67f92e4d4d
SHA1050d8460350ab299cc9c168b175dac29be52da99
SHA256eb2c5739524ad93be87ee4293743b57dc8e548f3b062a2efc4ba39c206c001fe
SHA51276a2fccbc85fef93557091f989ea61863e585fe48d00ea89b202fb958b11ade203136ca53b724e72d6623d1895ad70f87aa93b19c318e0d4f3ce43a51b049262