Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 19:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
13016f0c24adcbfe442ca42925c63092096a11477fa87e7ab5ed45796b8e255d.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
13016f0c24adcbfe442ca42925c63092096a11477fa87e7ab5ed45796b8e255d.dll
-
Size
120KB
-
MD5
ea956eb7d76bc974e76aaaadf9676373
-
SHA1
000f3e1a13eaae8ba560865e7777e603ac6fb1c1
-
SHA256
13016f0c24adcbfe442ca42925c63092096a11477fa87e7ab5ed45796b8e255d
-
SHA512
ac9127bd88e23ba153ebce2ed3f160f1a53de60c2932302877723746a3f6271bab5acf27a7d11d302abed550aac364da2d165e2aac4915825e18e3e4ec664c27
-
SSDEEP
1536:orK5RBCtk71WMFRQhWktAOIf8Sax4mjjcT41/u2G9mk1/lPr76HHYmCPgMT:oQCtk71+RPIYx4EjOtPr76H4mCPgMT
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cc39.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fe46.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57fe46.exe -
Executes dropped EXE 4 IoCs
pid Process 836 e57cc39.exe 1108 e57cd81.exe 1176 e57fe46.exe 3760 e57fe65.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57fe46.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cc39.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57fe46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cc39.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fe46.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: e57cc39.exe File opened (read-only) \??\G: e57fe46.exe File opened (read-only) \??\H: e57fe46.exe File opened (read-only) \??\J: e57cc39.exe File opened (read-only) \??\K: e57cc39.exe File opened (read-only) \??\L: e57cc39.exe File opened (read-only) \??\E: e57fe46.exe File opened (read-only) \??\E: e57cc39.exe File opened (read-only) \??\G: e57cc39.exe File opened (read-only) \??\H: e57cc39.exe File opened (read-only) \??\I: e57cc39.exe File opened (read-only) \??\I: e57fe46.exe -
resource yara_rule behavioral2/memory/836-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-28-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-21-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-29-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-32-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-46-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-63-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-65-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-66-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-69-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/836-79-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1176-103-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1176-117-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1176-161-0x00000000008A0000-0x000000000195A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57cca6 e57cc39.exe File opened for modification C:\Windows\SYSTEM.INI e57cc39.exe File created C:\Windows\e582584 e57fe46.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cc39.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cd81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57fe46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57fe65.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 836 e57cc39.exe 836 e57cc39.exe 836 e57cc39.exe 836 e57cc39.exe 1176 e57fe46.exe 1176 e57fe46.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe Token: SeDebugPrivilege 836 e57cc39.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 3892 1652 rundll32.exe 83 PID 1652 wrote to memory of 3892 1652 rundll32.exe 83 PID 1652 wrote to memory of 3892 1652 rundll32.exe 83 PID 3892 wrote to memory of 836 3892 rundll32.exe 84 PID 3892 wrote to memory of 836 3892 rundll32.exe 84 PID 3892 wrote to memory of 836 3892 rundll32.exe 84 PID 836 wrote to memory of 780 836 e57cc39.exe 8 PID 836 wrote to memory of 784 836 e57cc39.exe 9 PID 836 wrote to memory of 384 836 e57cc39.exe 13 PID 836 wrote to memory of 2928 836 e57cc39.exe 49 PID 836 wrote to memory of 3032 836 e57cc39.exe 51 PID 836 wrote to memory of 2172 836 e57cc39.exe 53 PID 836 wrote to memory of 3464 836 e57cc39.exe 56 PID 836 wrote to memory of 3604 836 e57cc39.exe 57 PID 836 wrote to memory of 3780 836 e57cc39.exe 58 PID 836 wrote to memory of 3876 836 e57cc39.exe 59 PID 836 wrote to memory of 3944 836 e57cc39.exe 60 PID 836 wrote to memory of 4036 836 e57cc39.exe 61 PID 836 wrote to memory of 4104 836 e57cc39.exe 62 PID 836 wrote to memory of 2540 836 e57cc39.exe 75 PID 836 wrote to memory of 5020 836 e57cc39.exe 76 PID 836 wrote to memory of 4556 836 e57cc39.exe 81 PID 836 wrote to memory of 1652 836 e57cc39.exe 82 PID 836 wrote to memory of 3892 836 e57cc39.exe 83 PID 836 wrote to memory of 3892 836 e57cc39.exe 83 PID 3892 wrote to memory of 1108 3892 rundll32.exe 85 PID 3892 wrote to memory of 1108 3892 rundll32.exe 85 PID 3892 wrote to memory of 1108 3892 rundll32.exe 85 PID 836 wrote to memory of 780 836 e57cc39.exe 8 PID 836 wrote to memory of 784 836 e57cc39.exe 9 PID 836 wrote to memory of 384 836 e57cc39.exe 13 PID 836 wrote to memory of 2928 836 e57cc39.exe 49 PID 836 wrote to memory of 3032 836 e57cc39.exe 51 PID 836 wrote to memory of 2172 836 e57cc39.exe 53 PID 836 wrote to memory of 3464 836 e57cc39.exe 56 PID 836 wrote to memory of 3604 836 e57cc39.exe 57 PID 836 wrote to memory of 3780 836 e57cc39.exe 58 PID 836 wrote to memory of 3876 836 e57cc39.exe 59 PID 836 wrote to memory of 3944 836 e57cc39.exe 60 PID 836 wrote to memory of 4036 836 e57cc39.exe 61 PID 836 wrote to memory of 4104 836 e57cc39.exe 62 PID 836 wrote to memory of 2540 836 e57cc39.exe 75 PID 836 wrote to memory of 5020 836 e57cc39.exe 76 PID 836 wrote to memory of 4556 836 e57cc39.exe 81 PID 836 wrote to memory of 1652 836 e57cc39.exe 82 PID 836 wrote to memory of 1108 836 e57cc39.exe 85 PID 836 wrote to memory of 1108 836 e57cc39.exe 85 PID 3892 wrote to memory of 1176 3892 rundll32.exe 87 PID 3892 wrote to memory of 1176 3892 rundll32.exe 87 PID 3892 wrote to memory of 1176 3892 rundll32.exe 87 PID 3892 wrote to memory of 3760 3892 rundll32.exe 88 PID 3892 wrote to memory of 3760 3892 rundll32.exe 88 PID 3892 wrote to memory of 3760 3892 rundll32.exe 88 PID 1176 wrote to memory of 780 1176 e57fe46.exe 8 PID 1176 wrote to memory of 784 1176 e57fe46.exe 9 PID 1176 wrote to memory of 384 1176 e57fe46.exe 13 PID 1176 wrote to memory of 2928 1176 e57fe46.exe 49 PID 1176 wrote to memory of 3032 1176 e57fe46.exe 51 PID 1176 wrote to memory of 2172 1176 e57fe46.exe 53 PID 1176 wrote to memory of 3464 1176 e57fe46.exe 56 PID 1176 wrote to memory of 3604 1176 e57fe46.exe 57 PID 1176 wrote to memory of 3780 1176 e57fe46.exe 58 PID 1176 wrote to memory of 3876 1176 e57fe46.exe 59 PID 1176 wrote to memory of 3944 1176 e57fe46.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cc39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fe46.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3032
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13016f0c24adcbfe442ca42925c63092096a11477fa87e7ab5ed45796b8e255d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13016f0c24adcbfe442ca42925c63092096a11477fa87e7ab5ed45796b8e255d.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\e57cc39.exeC:\Users\Admin\AppData\Local\Temp\e57cc39.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\e57cd81.exeC:\Users\Admin\AppData\Local\Temp\e57cd81.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1108
-
-
C:\Users\Admin\AppData\Local\Temp\e57fe46.exeC:\Users\Admin\AppData\Local\Temp\e57fe46.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\e57fe65.exeC:\Users\Admin\AppData\Local\Temp\e57fe65.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2540
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5020
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD550529f93998ba4c6b8e26e8f2a9607c7
SHA116594f1560d771722649706b0900c0850fcea98d
SHA2563ee9836bb3f36da3aff1bd16dc57dfbd52a008df361ad2e1cf0b21efea953358
SHA5129456b76257d8852342275d017f85fbb01a56215c0a1a33bab102cf1f7d42567126d9c4e7748d971dc64ac318504e5b68534bc5e50725336d7d8d6598ea6b3b0d
-
Filesize
256B
MD5c11426e1d83a701fb91c58eae04de590
SHA19bcd766961a3bcff3b630d91b02107469bd30bb2
SHA256a0faab70d4b58440b1f95b6ad6dec7f18dda419089bcfbe3d30f4021f9536569
SHA5125c0663508ec68c4e58810e539e01e58d047a744db2dc818926e4996020157fca83c05cf858a560460c0c304c6d0303fda2a7e6832ab3cec3211649cc7a86346e