Analysis
-
max time kernel
32s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 20:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cefe18fbea53f21746d29fb592c43faff505cfd8b9216bc29994f20d9193359.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3cefe18fbea53f21746d29fb592c43faff505cfd8b9216bc29994f20d9193359.dll
-
Size
120KB
-
MD5
47cb3007b9215438ed4815b7184c4184
-
SHA1
9294f6db1952b958a5f3dbc6ce3c619addffd39f
-
SHA256
3cefe18fbea53f21746d29fb592c43faff505cfd8b9216bc29994f20d9193359
-
SHA512
41be5948a1ab5a300f7a25da5eb2391febfcdd922868251e9be96d3a40895e35979b556b1107e8b1fd57d7f086f056a5b20f781e96919ebbfc091f2ba31c3dee
-
SSDEEP
1536:f56vbyxLU3W1mQPoy3xxmgTZRxK4LcvL/bFzPCfZt77KYDwP384Hvvc1fxdLW:f4+xLU3WJ9xZZXCzFzPCff3Ismvk1a
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57702f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57702f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57702f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579f5d.exe -
Executes dropped EXE 3 IoCs
pid Process 3960 e57702f.exe 1016 e577290.exe 1912 e579f5d.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57702f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57702f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f5d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57702f.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e579f5d.exe File opened (read-only) \??\I: e579f5d.exe File opened (read-only) \??\G: e57702f.exe File opened (read-only) \??\I: e57702f.exe File opened (read-only) \??\J: e57702f.exe File opened (read-only) \??\L: e57702f.exe File opened (read-only) \??\M: e57702f.exe File opened (read-only) \??\E: e579f5d.exe File opened (read-only) \??\E: e57702f.exe File opened (read-only) \??\H: e57702f.exe File opened (read-only) \??\K: e57702f.exe File opened (read-only) \??\N: e57702f.exe File opened (read-only) \??\H: e579f5d.exe -
resource yara_rule behavioral2/memory/3960-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-20-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-18-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-19-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-46-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-48-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-56-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-61-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-63-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-66-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-72-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-73-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3960-77-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1912-110-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1912-131-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1912-155-0x0000000000880000-0x000000000193A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c6ab e579f5d.exe File created C:\Windows\e57708c e57702f.exe File opened for modification C:\Windows\SYSTEM.INI e57702f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57702f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577290.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579f5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3960 e57702f.exe 3960 e57702f.exe 3960 e57702f.exe 3960 e57702f.exe 1912 e579f5d.exe 1912 e579f5d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe Token: SeDebugPrivilege 3960 e57702f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3588 wrote to memory of 3416 3588 rundll32.exe 83 PID 3588 wrote to memory of 3416 3588 rundll32.exe 83 PID 3588 wrote to memory of 3416 3588 rundll32.exe 83 PID 3416 wrote to memory of 3960 3416 rundll32.exe 84 PID 3416 wrote to memory of 3960 3416 rundll32.exe 84 PID 3416 wrote to memory of 3960 3416 rundll32.exe 84 PID 3960 wrote to memory of 792 3960 e57702f.exe 9 PID 3960 wrote to memory of 800 3960 e57702f.exe 10 PID 3960 wrote to memory of 60 3960 e57702f.exe 13 PID 3960 wrote to memory of 2964 3960 e57702f.exe 51 PID 3960 wrote to memory of 3024 3960 e57702f.exe 52 PID 3960 wrote to memory of 2636 3960 e57702f.exe 53 PID 3960 wrote to memory of 3436 3960 e57702f.exe 56 PID 3960 wrote to memory of 3564 3960 e57702f.exe 57 PID 3960 wrote to memory of 3740 3960 e57702f.exe 58 PID 3960 wrote to memory of 3840 3960 e57702f.exe 59 PID 3960 wrote to memory of 3904 3960 e57702f.exe 60 PID 3960 wrote to memory of 3992 3960 e57702f.exe 61 PID 3960 wrote to memory of 4112 3960 e57702f.exe 62 PID 3960 wrote to memory of 2316 3960 e57702f.exe 64 PID 3960 wrote to memory of 1800 3960 e57702f.exe 76 PID 3960 wrote to memory of 788 3960 e57702f.exe 81 PID 3960 wrote to memory of 3588 3960 e57702f.exe 82 PID 3960 wrote to memory of 3416 3960 e57702f.exe 83 PID 3960 wrote to memory of 3416 3960 e57702f.exe 83 PID 3416 wrote to memory of 1016 3416 rundll32.exe 85 PID 3416 wrote to memory of 1016 3416 rundll32.exe 85 PID 3416 wrote to memory of 1016 3416 rundll32.exe 85 PID 3960 wrote to memory of 792 3960 e57702f.exe 9 PID 3960 wrote to memory of 800 3960 e57702f.exe 10 PID 3960 wrote to memory of 60 3960 e57702f.exe 13 PID 3960 wrote to memory of 2964 3960 e57702f.exe 51 PID 3960 wrote to memory of 3024 3960 e57702f.exe 52 PID 3960 wrote to memory of 2636 3960 e57702f.exe 53 PID 3960 wrote to memory of 3436 3960 e57702f.exe 56 PID 3960 wrote to memory of 3564 3960 e57702f.exe 57 PID 3960 wrote to memory of 3740 3960 e57702f.exe 58 PID 3960 wrote to memory of 3840 3960 e57702f.exe 59 PID 3960 wrote to memory of 3904 3960 e57702f.exe 60 PID 3960 wrote to memory of 3992 3960 e57702f.exe 61 PID 3960 wrote to memory of 4112 3960 e57702f.exe 62 PID 3960 wrote to memory of 2316 3960 e57702f.exe 64 PID 3960 wrote to memory of 1800 3960 e57702f.exe 76 PID 3960 wrote to memory of 788 3960 e57702f.exe 81 PID 3960 wrote to memory of 3588 3960 e57702f.exe 82 PID 3960 wrote to memory of 1016 3960 e57702f.exe 85 PID 3960 wrote to memory of 1016 3960 e57702f.exe 85 PID 3416 wrote to memory of 1912 3416 rundll32.exe 87 PID 3416 wrote to memory of 1912 3416 rundll32.exe 87 PID 3416 wrote to memory of 1912 3416 rundll32.exe 87 PID 1912 wrote to memory of 792 1912 e579f5d.exe 9 PID 1912 wrote to memory of 800 1912 e579f5d.exe 10 PID 1912 wrote to memory of 60 1912 e579f5d.exe 13 PID 1912 wrote to memory of 2964 1912 e579f5d.exe 51 PID 1912 wrote to memory of 3024 1912 e579f5d.exe 52 PID 1912 wrote to memory of 2636 1912 e579f5d.exe 53 PID 1912 wrote to memory of 3436 1912 e579f5d.exe 56 PID 1912 wrote to memory of 3564 1912 e579f5d.exe 57 PID 1912 wrote to memory of 3740 1912 e579f5d.exe 58 PID 1912 wrote to memory of 3840 1912 e579f5d.exe 59 PID 1912 wrote to memory of 3904 1912 e579f5d.exe 60 PID 1912 wrote to memory of 3992 1912 e579f5d.exe 61 PID 1912 wrote to memory of 4112 1912 e579f5d.exe 62 PID 1912 wrote to memory of 2316 1912 e579f5d.exe 64 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57702f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f5d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3024
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3cefe18fbea53f21746d29fb592c43faff505cfd8b9216bc29994f20d9193359.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3cefe18fbea53f21746d29fb592c43faff505cfd8b9216bc29994f20d9193359.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\e57702f.exeC:\Users\Admin\AppData\Local\Temp\e57702f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\e577290.exeC:\Users\Admin\AppData\Local\Temp\e577290.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\e579f5d.exeC:\Users\Admin\AppData\Local\Temp\e579f5d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1912
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2316
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1800
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:788
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD537e95b9157de60a23528106909381b92
SHA13182df94421b13a09f6a155e229e56656da6edc2
SHA2561b8d5b1b686c3feac1678277bfe2e4af56f56b3c91acbc7a1decac4d8b5c49c2
SHA5120e6ad27222422e4428d2a511a887ec242ae7128730c72cc8375b3dab8517541300610d35e82739857210bdd9ded323e3839d00e1a12217590b8119cd751e137e
-
Filesize
257B
MD5072c0ccd01d13fd0040c77f85ea6cbe3
SHA15b227a07d60cdaf36e3a65e51bced03c261169b5
SHA256350623f7809be791dbaf0a961a1b14633a2d782df9cfcb72983caaac3bebbf04
SHA512e6d00b7941706f70f5acbac6e7a6c7121c0916be97691eb8ea693cbc07ff6123c66c53a25bca0de2ac16134e51ac82794a4d5c6fe6d59d630d0393a27117df18