Analysis
-
max time kernel
32s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 14:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43534397fa68642527d6dfdf6f0aa99f40d43cfdfd6a0587cb336648e9476cb8N.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
43534397fa68642527d6dfdf6f0aa99f40d43cfdfd6a0587cb336648e9476cb8N.dll
-
Size
120KB
-
MD5
fc2a1c99c4afae694c2671e8db0cd2d0
-
SHA1
1fd7ae6821e4cd048066a33c802dcb95c3ebbbe2
-
SHA256
43534397fa68642527d6dfdf6f0aa99f40d43cfdfd6a0587cb336648e9476cb8
-
SHA512
0a11653d627385d63c703e2d4c60ca89fb506e9c89db726f8e0b0a8d9a6b57340a5ce25cf8efba0218d3a6d9990d4232301a7f2d26b6689fd8698ca8a30a416f
-
SSDEEP
3072:doVrT5UGhUK8k5wMpA3rlAS5BbR4W1REC:do159hUK8kxAxnJ4W1W
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579913.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579913.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c9a9.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c9a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c9a9.exe -
Executes dropped EXE 3 IoCs
pid Process 2924 e579913.exe 1372 e579a4c.exe 2300 e57c9a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c9a9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c9a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c9a9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579913.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c9a9.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57c9a9.exe File opened (read-only) \??\G: e579913.exe File opened (read-only) \??\H: e579913.exe File opened (read-only) \??\J: e579913.exe File opened (read-only) \??\K: e579913.exe File opened (read-only) \??\H: e57c9a9.exe File opened (read-only) \??\G: e57c9a9.exe File opened (read-only) \??\J: e57c9a9.exe File opened (read-only) \??\E: e579913.exe File opened (read-only) \??\I: e579913.exe File opened (read-only) \??\L: e579913.exe File opened (read-only) \??\M: e579913.exe File opened (read-only) \??\E: e57c9a9.exe -
resource yara_rule behavioral2/memory/2924-9-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-22-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-32-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-12-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-35-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-27-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-11-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-10-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-8-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-6-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-34-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-36-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-37-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-38-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-39-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-40-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-46-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-57-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-58-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-59-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-61-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-63-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-65-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-67-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2924-69-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2300-104-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/2300-125-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/2300-149-0x0000000000820000-0x00000000018DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579961 e579913.exe File opened for modification C:\Windows\SYSTEM.INI e579913.exe File created C:\Windows\e57f126 e57c9a9.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579913.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579a4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c9a9.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2924 e579913.exe 2924 e579913.exe 2924 e579913.exe 2924 e579913.exe 2300 e57c9a9.exe 2300 e57c9a9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe Token: SeDebugPrivilege 2924 e579913.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1800 3108 rundll32.exe 83 PID 3108 wrote to memory of 1800 3108 rundll32.exe 83 PID 3108 wrote to memory of 1800 3108 rundll32.exe 83 PID 1800 wrote to memory of 2924 1800 rundll32.exe 84 PID 1800 wrote to memory of 2924 1800 rundll32.exe 84 PID 1800 wrote to memory of 2924 1800 rundll32.exe 84 PID 2924 wrote to memory of 784 2924 e579913.exe 8 PID 2924 wrote to memory of 792 2924 e579913.exe 9 PID 2924 wrote to memory of 384 2924 e579913.exe 13 PID 2924 wrote to memory of 3040 2924 e579913.exe 50 PID 2924 wrote to memory of 2528 2924 e579913.exe 52 PID 2924 wrote to memory of 3124 2924 e579913.exe 53 PID 2924 wrote to memory of 3452 2924 e579913.exe 56 PID 2924 wrote to memory of 3584 2924 e579913.exe 57 PID 2924 wrote to memory of 3788 2924 e579913.exe 58 PID 2924 wrote to memory of 3872 2924 e579913.exe 59 PID 2924 wrote to memory of 3936 2924 e579913.exe 60 PID 2924 wrote to memory of 4020 2924 e579913.exe 61 PID 2924 wrote to memory of 3612 2924 e579913.exe 62 PID 2924 wrote to memory of 1460 2924 e579913.exe 75 PID 2924 wrote to memory of 3628 2924 e579913.exe 76 PID 2924 wrote to memory of 2956 2924 e579913.exe 81 PID 2924 wrote to memory of 3108 2924 e579913.exe 82 PID 2924 wrote to memory of 1800 2924 e579913.exe 83 PID 2924 wrote to memory of 1800 2924 e579913.exe 83 PID 1800 wrote to memory of 1372 1800 rundll32.exe 85 PID 1800 wrote to memory of 1372 1800 rundll32.exe 85 PID 1800 wrote to memory of 1372 1800 rundll32.exe 85 PID 2924 wrote to memory of 784 2924 e579913.exe 8 PID 2924 wrote to memory of 792 2924 e579913.exe 9 PID 2924 wrote to memory of 384 2924 e579913.exe 13 PID 2924 wrote to memory of 3040 2924 e579913.exe 50 PID 2924 wrote to memory of 2528 2924 e579913.exe 52 PID 2924 wrote to memory of 3124 2924 e579913.exe 53 PID 2924 wrote to memory of 3452 2924 e579913.exe 56 PID 2924 wrote to memory of 3584 2924 e579913.exe 57 PID 2924 wrote to memory of 3788 2924 e579913.exe 58 PID 2924 wrote to memory of 3872 2924 e579913.exe 59 PID 2924 wrote to memory of 3936 2924 e579913.exe 60 PID 2924 wrote to memory of 4020 2924 e579913.exe 61 PID 2924 wrote to memory of 3612 2924 e579913.exe 62 PID 2924 wrote to memory of 1460 2924 e579913.exe 75 PID 2924 wrote to memory of 3628 2924 e579913.exe 76 PID 2924 wrote to memory of 2956 2924 e579913.exe 81 PID 2924 wrote to memory of 3108 2924 e579913.exe 82 PID 2924 wrote to memory of 1372 2924 e579913.exe 85 PID 2924 wrote to memory of 1372 2924 e579913.exe 85 PID 1800 wrote to memory of 2300 1800 rundll32.exe 86 PID 1800 wrote to memory of 2300 1800 rundll32.exe 86 PID 1800 wrote to memory of 2300 1800 rundll32.exe 86 PID 2300 wrote to memory of 784 2300 e57c9a9.exe 8 PID 2300 wrote to memory of 792 2300 e57c9a9.exe 9 PID 2300 wrote to memory of 384 2300 e57c9a9.exe 13 PID 2300 wrote to memory of 3040 2300 e57c9a9.exe 50 PID 2300 wrote to memory of 2528 2300 e57c9a9.exe 52 PID 2300 wrote to memory of 3124 2300 e57c9a9.exe 53 PID 2300 wrote to memory of 3452 2300 e57c9a9.exe 56 PID 2300 wrote to memory of 3584 2300 e57c9a9.exe 57 PID 2300 wrote to memory of 3788 2300 e57c9a9.exe 58 PID 2300 wrote to memory of 3872 2300 e57c9a9.exe 59 PID 2300 wrote to memory of 3936 2300 e57c9a9.exe 60 PID 2300 wrote to memory of 4020 2300 e57c9a9.exe 61 PID 2300 wrote to memory of 3612 2300 e57c9a9.exe 62 PID 2300 wrote to memory of 1460 2300 e57c9a9.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579913.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c9a9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2528
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3124
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43534397fa68642527d6dfdf6f0aa99f40d43cfdfd6a0587cb336648e9476cb8N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43534397fa68642527d6dfdf6f0aa99f40d43cfdfd6a0587cb336648e9476cb8N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\e579913.exeC:\Users\Admin\AppData\Local\Temp\e579913.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\e579a4c.exeC:\Users\Admin\AppData\Local\Temp\e579a4c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\e57c9a9.exeC:\Users\Admin\AppData\Local\Temp\e57c9a9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2300
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3612
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1460
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3628
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2956
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ec5ba36841b0b62c5a6ed0c26c0546ab
SHA133196ea1525f07e1dd71b84442d867c37099c2b5
SHA2562e2caef08e24f4e1d2d78859d45ce3744493914f79609b195986eacb322eae91
SHA512603c686051953db1eb3bae747382b40a8058bfe04b0fe20b454e9178caebbaf9f2c3feceeab19fdb5bd7a8467d5773f8bff3e9d0d0957a81326b2c57c8bbeedb
-
Filesize
257B
MD56e4b471899f84e922c675b76a5748c6f
SHA176abe2d732460a2877a92821a91b404e6cd1e485
SHA256ebd9e2d7bd45715cf40e9a5f6b74285590a33f505b1cae0f08626fa91c407990
SHA51278e6b87bf3e59bfbbc673aed922bcbc3c019522a934fbd801044ec8a1f1f2e4056ed0a1316347237aa4bedd630c10f8bba1b0a7c0b2340e6b7df7f36f7f97eb3