Analysis
-
max time kernel
33s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 11:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f6d1268b123504f69e3bf0bfc0d6947a6274e210683c0230fa38804cd277e3fN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5f6d1268b123504f69e3bf0bfc0d6947a6274e210683c0230fa38804cd277e3fN.dll
-
Size
120KB
-
MD5
ab195fe38e7b07fe3f448bd60322d5b0
-
SHA1
687d66498b699d234f535df97e5e890101ce7e93
-
SHA256
5f6d1268b123504f69e3bf0bfc0d6947a6274e210683c0230fa38804cd277e3f
-
SHA512
ee25dc42526db492a04dcd4681174e1773ecee62c9926b754921545fb77fc1467a5dc3a52f4b1d8aa8b15cd705f8fc4a3ec328722d01dfda08cd70b5d6e7ade2
-
SSDEEP
3072:Ni6L31YpRa/PqELuEfGi2vgb/mbMcy75Ko:Niu31YyPFuipqbMxv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d736.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d736.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d736.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d736.exe -
Executes dropped EXE 4 IoCs
pid Process 3644 e57a529.exe 4468 e57a6df.exe 3212 e57d736.exe 1436 e57d764.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d736.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a529.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d736.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d736.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d736.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57a529.exe File opened (read-only) \??\J: e57a529.exe File opened (read-only) \??\L: e57a529.exe File opened (read-only) \??\M: e57a529.exe File opened (read-only) \??\G: e57d736.exe File opened (read-only) \??\E: e57a529.exe File opened (read-only) \??\I: e57a529.exe File opened (read-only) \??\K: e57a529.exe File opened (read-only) \??\E: e57d736.exe File opened (read-only) \??\H: e57d736.exe File opened (read-only) \??\I: e57d736.exe File opened (read-only) \??\J: e57d736.exe File opened (read-only) \??\H: e57a529.exe -
resource yara_rule behavioral2/memory/3644-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-28-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-29-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-18-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-32-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-33-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-34-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-35-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-45-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-60-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-61-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-63-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-65-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-66-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-67-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-69-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3644-73-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3212-112-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/3212-157-0x00000000007D0000-0x000000000188A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a5c5 e57a529.exe File opened for modification C:\Windows\SYSTEM.INI e57a529.exe File created C:\Windows\e57fea3 e57d736.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a529.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a6df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d736.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d764.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3644 e57a529.exe 3644 e57a529.exe 3644 e57a529.exe 3644 e57a529.exe 3212 e57d736.exe 3212 e57d736.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe Token: SeDebugPrivilege 3644 e57a529.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1748 wrote to memory of 3104 1748 rundll32.exe 83 PID 1748 wrote to memory of 3104 1748 rundll32.exe 83 PID 1748 wrote to memory of 3104 1748 rundll32.exe 83 PID 3104 wrote to memory of 3644 3104 rundll32.exe 84 PID 3104 wrote to memory of 3644 3104 rundll32.exe 84 PID 3104 wrote to memory of 3644 3104 rundll32.exe 84 PID 3644 wrote to memory of 780 3644 e57a529.exe 8 PID 3644 wrote to memory of 788 3644 e57a529.exe 9 PID 3644 wrote to memory of 380 3644 e57a529.exe 13 PID 3644 wrote to memory of 2476 3644 e57a529.exe 42 PID 3644 wrote to memory of 2528 3644 e57a529.exe 43 PID 3644 wrote to memory of 2640 3644 e57a529.exe 44 PID 3644 wrote to memory of 3536 3644 e57a529.exe 56 PID 3644 wrote to memory of 3668 3644 e57a529.exe 57 PID 3644 wrote to memory of 3852 3644 e57a529.exe 58 PID 3644 wrote to memory of 3952 3644 e57a529.exe 59 PID 3644 wrote to memory of 4016 3644 e57a529.exe 60 PID 3644 wrote to memory of 924 3644 e57a529.exe 61 PID 3644 wrote to memory of 3268 3644 e57a529.exe 62 PID 3644 wrote to memory of 5112 3644 e57a529.exe 64 PID 3644 wrote to memory of 2352 3644 e57a529.exe 76 PID 3644 wrote to memory of 4892 3644 e57a529.exe 81 PID 3644 wrote to memory of 1748 3644 e57a529.exe 82 PID 3644 wrote to memory of 3104 3644 e57a529.exe 83 PID 3644 wrote to memory of 3104 3644 e57a529.exe 83 PID 3104 wrote to memory of 4468 3104 rundll32.exe 85 PID 3104 wrote to memory of 4468 3104 rundll32.exe 85 PID 3104 wrote to memory of 4468 3104 rundll32.exe 85 PID 3644 wrote to memory of 780 3644 e57a529.exe 8 PID 3644 wrote to memory of 788 3644 e57a529.exe 9 PID 3644 wrote to memory of 380 3644 e57a529.exe 13 PID 3644 wrote to memory of 2476 3644 e57a529.exe 42 PID 3644 wrote to memory of 2528 3644 e57a529.exe 43 PID 3644 wrote to memory of 2640 3644 e57a529.exe 44 PID 3644 wrote to memory of 3536 3644 e57a529.exe 56 PID 3644 wrote to memory of 3668 3644 e57a529.exe 57 PID 3644 wrote to memory of 3852 3644 e57a529.exe 58 PID 3644 wrote to memory of 3952 3644 e57a529.exe 59 PID 3644 wrote to memory of 4016 3644 e57a529.exe 60 PID 3644 wrote to memory of 924 3644 e57a529.exe 61 PID 3644 wrote to memory of 3268 3644 e57a529.exe 62 PID 3644 wrote to memory of 5112 3644 e57a529.exe 64 PID 3644 wrote to memory of 2352 3644 e57a529.exe 76 PID 3644 wrote to memory of 4892 3644 e57a529.exe 81 PID 3644 wrote to memory of 1748 3644 e57a529.exe 82 PID 3644 wrote to memory of 4468 3644 e57a529.exe 85 PID 3644 wrote to memory of 4468 3644 e57a529.exe 85 PID 3104 wrote to memory of 3212 3104 rundll32.exe 86 PID 3104 wrote to memory of 3212 3104 rundll32.exe 86 PID 3104 wrote to memory of 3212 3104 rundll32.exe 86 PID 3104 wrote to memory of 1436 3104 rundll32.exe 87 PID 3104 wrote to memory of 1436 3104 rundll32.exe 87 PID 3104 wrote to memory of 1436 3104 rundll32.exe 87 PID 3212 wrote to memory of 780 3212 e57d736.exe 8 PID 3212 wrote to memory of 788 3212 e57d736.exe 9 PID 3212 wrote to memory of 380 3212 e57d736.exe 13 PID 3212 wrote to memory of 2476 3212 e57d736.exe 42 PID 3212 wrote to memory of 2528 3212 e57d736.exe 43 PID 3212 wrote to memory of 2640 3212 e57d736.exe 44 PID 3212 wrote to memory of 3536 3212 e57d736.exe 56 PID 3212 wrote to memory of 3668 3212 e57d736.exe 57 PID 3212 wrote to memory of 3852 3212 e57d736.exe 58 PID 3212 wrote to memory of 3952 3212 e57d736.exe 59 PID 3212 wrote to memory of 4016 3212 e57d736.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d736.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2528
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2640
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6d1268b123504f69e3bf0bfc0d6947a6274e210683c0230fa38804cd277e3fN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6d1268b123504f69e3bf0bfc0d6947a6274e210683c0230fa38804cd277e3fN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\e57a529.exeC:\Users\Admin\AppData\Local\Temp\e57a529.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3644
-
-
C:\Users\Admin\AppData\Local\Temp\e57a6df.exeC:\Users\Admin\AppData\Local\Temp\e57a6df.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4468
-
-
C:\Users\Admin\AppData\Local\Temp\e57d736.exeC:\Users\Admin\AppData\Local\Temp\e57d736.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\e57d764.exeC:\Users\Admin\AppData\Local\Temp\e57d764.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3268
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2352
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4892
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD546a4ae75fdf4c70005bbe2fb3fdcc4ec
SHA13a5e7cf393d3fdaa48aa49909246551f83ef8ef0
SHA256c11df09c0f072b8d961a4cd77af6af892836a03d6a27dfc5a406e122e53c50db
SHA512fd0f2d224cea7400b7984b4cfbee7bff85b2b982ef60d111f72d4324276141e7c6ecf9d8e56a4afc88262b1990cb1f6b08342399797057dec9939833a2a70c84
-
Filesize
257B
MD5f116f2f0c5c1c15cf5689f7409edd4f1
SHA15ac4a0ad11a7a2f2a86c8346ef2919f793154494
SHA256a7f61b84a6331cb6906cf98bb87bb20d8edc0a96a9bd38fdac4dca1d4bb1fbb8
SHA512abd0c6a36f53ebbcf937cfb1ff3cbb91e47d240ca9f60fd6128dde03bea7fc43237b4ca5f310ef696d06f256f6bda37279af1a9f139635536276caa7917de77f