Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll
Resource
win7-20241010-en
General
-
Target
22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll
-
Size
120KB
-
MD5
867dfa4e0a3ae2ee075e6fe2c0d2dfb0
-
SHA1
eb5a96db57e6573bf0d8e3f4ea16497a7c1968f3
-
SHA256
22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117e
-
SHA512
42b57335372ff9acef5420c499a972d1716e48cc37fde0f005e19ec384ee982fdb8bb055840922b5f6ae1d79105ff6a839a74ddbab02fedd502b5c577b729d95
-
SSDEEP
3072:EULqrS26yqT6mSRC0MYn8DYj7fkaunHQNlVk:EOFF70/DpunHQz2
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578b87.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578b87.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ae22.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578b87.exe -
Executes dropped EXE 3 IoCs
pid Process 1840 e578b87.exe 4820 e578cfe.exe 4980 e57ae22.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ae22.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578b87.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578b87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ae22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578b87.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e578b87.exe File opened (read-only) \??\N: e578b87.exe File opened (read-only) \??\E: e578b87.exe File opened (read-only) \??\G: e578b87.exe File opened (read-only) \??\I: e578b87.exe File opened (read-only) \??\M: e578b87.exe File opened (read-only) \??\H: e578b87.exe File opened (read-only) \??\K: e578b87.exe File opened (read-only) \??\L: e578b87.exe -
resource yara_rule behavioral2/memory/1840-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-28-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-23-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-22-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-31-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-34-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-55-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-61-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-64-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-65-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-66-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-69-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-72-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/1840-82-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4820-102-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx behavioral2/memory/4980-114-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/4980-128-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e578b87.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e578b87.exe File opened for modification C:\Program Files\7-Zip\7z.exe e578b87.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578c23 e578b87.exe File opened for modification C:\Windows\SYSTEM.INI e578b87.exe File created C:\Windows\e57fca0 e57ae22.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578b87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578cfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ae22.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1840 e578b87.exe 1840 e578b87.exe 1840 e578b87.exe 1840 e578b87.exe 4980 e57ae22.exe 4980 e57ae22.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe Token: SeDebugPrivilege 1840 e578b87.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1040 wrote to memory of 3924 1040 rundll32.exe 83 PID 1040 wrote to memory of 3924 1040 rundll32.exe 83 PID 1040 wrote to memory of 3924 1040 rundll32.exe 83 PID 3924 wrote to memory of 1840 3924 rundll32.exe 84 PID 3924 wrote to memory of 1840 3924 rundll32.exe 84 PID 3924 wrote to memory of 1840 3924 rundll32.exe 84 PID 1840 wrote to memory of 800 1840 e578b87.exe 9 PID 1840 wrote to memory of 808 1840 e578b87.exe 10 PID 1840 wrote to memory of 388 1840 e578b87.exe 13 PID 1840 wrote to memory of 2828 1840 e578b87.exe 49 PID 1840 wrote to memory of 2876 1840 e578b87.exe 50 PID 1840 wrote to memory of 2884 1840 e578b87.exe 52 PID 1840 wrote to memory of 3504 1840 e578b87.exe 56 PID 1840 wrote to memory of 3624 1840 e578b87.exe 57 PID 1840 wrote to memory of 3824 1840 e578b87.exe 58 PID 1840 wrote to memory of 3916 1840 e578b87.exe 59 PID 1840 wrote to memory of 3980 1840 e578b87.exe 60 PID 1840 wrote to memory of 4076 1840 e578b87.exe 61 PID 1840 wrote to memory of 2696 1840 e578b87.exe 62 PID 1840 wrote to memory of 1644 1840 e578b87.exe 75 PID 1840 wrote to memory of 2960 1840 e578b87.exe 76 PID 1840 wrote to memory of 3212 1840 e578b87.exe 80 PID 1840 wrote to memory of 1040 1840 e578b87.exe 82 PID 1840 wrote to memory of 3924 1840 e578b87.exe 83 PID 1840 wrote to memory of 3924 1840 e578b87.exe 83 PID 3924 wrote to memory of 4820 3924 rundll32.exe 85 PID 3924 wrote to memory of 4820 3924 rundll32.exe 85 PID 3924 wrote to memory of 4820 3924 rundll32.exe 85 PID 3924 wrote to memory of 4980 3924 rundll32.exe 89 PID 3924 wrote to memory of 4980 3924 rundll32.exe 89 PID 3924 wrote to memory of 4980 3924 rundll32.exe 89 PID 1840 wrote to memory of 800 1840 e578b87.exe 9 PID 1840 wrote to memory of 808 1840 e578b87.exe 10 PID 1840 wrote to memory of 388 1840 e578b87.exe 13 PID 1840 wrote to memory of 2828 1840 e578b87.exe 49 PID 1840 wrote to memory of 2876 1840 e578b87.exe 50 PID 1840 wrote to memory of 2884 1840 e578b87.exe 52 PID 1840 wrote to memory of 3504 1840 e578b87.exe 56 PID 1840 wrote to memory of 3624 1840 e578b87.exe 57 PID 1840 wrote to memory of 3824 1840 e578b87.exe 58 PID 1840 wrote to memory of 3916 1840 e578b87.exe 59 PID 1840 wrote to memory of 3980 1840 e578b87.exe 60 PID 1840 wrote to memory of 4076 1840 e578b87.exe 61 PID 1840 wrote to memory of 2696 1840 e578b87.exe 62 PID 1840 wrote to memory of 1644 1840 e578b87.exe 75 PID 1840 wrote to memory of 2960 1840 e578b87.exe 76 PID 1840 wrote to memory of 3212 1840 e578b87.exe 80 PID 1840 wrote to memory of 4820 1840 e578b87.exe 85 PID 1840 wrote to memory of 4820 1840 e578b87.exe 85 PID 1840 wrote to memory of 2556 1840 e578b87.exe 87 PID 1840 wrote to memory of 1988 1840 e578b87.exe 88 PID 1840 wrote to memory of 4980 1840 e578b87.exe 89 PID 1840 wrote to memory of 4980 1840 e578b87.exe 89 PID 4980 wrote to memory of 800 4980 e57ae22.exe 9 PID 4980 wrote to memory of 808 4980 e57ae22.exe 10 PID 4980 wrote to memory of 388 4980 e57ae22.exe 13 PID 4980 wrote to memory of 2828 4980 e57ae22.exe 49 PID 4980 wrote to memory of 2876 4980 e57ae22.exe 50 PID 4980 wrote to memory of 2884 4980 e57ae22.exe 52 PID 4980 wrote to memory of 3504 4980 e57ae22.exe 56 PID 4980 wrote to memory of 3624 4980 e57ae22.exe 57 PID 4980 wrote to memory of 3824 4980 e57ae22.exe 58 PID 4980 wrote to memory of 3916 4980 e57ae22.exe 59 PID 4980 wrote to memory of 3980 4980 e57ae22.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578b87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ae22.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2876
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2884
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\e578b87.exeC:\Users\Admin\AppData\Local\Temp\e578b87.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\e578cfe.exeC:\Users\Admin\AppData\Local\Temp\e578cfe.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\e57ae22.exeC:\Users\Admin\AppData\Local\Temp\e57ae22.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4980
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2696
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1644
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2960
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3212
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2556
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1988
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5499f97fc98461047215d56f8bb476033
SHA1ea38447742bdab0c7666db91bc262881d1ab222d
SHA2568e9644423cdcb4031e4165600c9f22d8be2d8f4bf0629ed99f959febef59d1ec
SHA51205f3a1ae91cf58073766cce535e8727ad431cdf70df26f790b05271a70483529e94e8237da852f6e34adcb58941aacd9cc759348dbf2f33fc12a953435e046dc
-
Filesize
257B
MD5e37e683925abd5c3741dd08eb09a3d0a
SHA17be8cd264167474446e0bb72706e6b3240cb06a6
SHA2563bf41d820ec634b0703940a41302d83b129b6e8910c02e10a1a0a205b0940eed
SHA5124830f98e24a2a2f7ad5cce56638791664ca59b46d4e8b56ea85eff1a362518abd72104daa90f8cbbfc0d1d3b1c2dcec9075c26aa2a954232b43df355101ec802