Analysis
-
max time kernel
33s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
512bc6701aeeec677597bb773f59eb4504d424947f4392fa9338285f292f58dfN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
512bc6701aeeec677597bb773f59eb4504d424947f4392fa9338285f292f58dfN.dll
-
Size
120KB
-
MD5
1a03f47b50f4ac275a98406ef27c8400
-
SHA1
41a3534a04be7bb112d33f3a31f3cb2caf51a73d
-
SHA256
512bc6701aeeec677597bb773f59eb4504d424947f4392fa9338285f292f58df
-
SHA512
00cf9d4419268b75427471dd50bb559908980548ff25a31848c79078092b8d92f4cecdb968819e4285d4a38c560e86af0eeb6994e75aa3e43fccc98aa6b3a06e
-
SSDEEP
1536:qIiI09MI8eRjlw0DG1/Fw8XjDeJHV7g1lM0SL6Ek0UTKL0cr:10Tdplw0V8XN70w
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57be3f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be3f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578a5e.exe -
Executes dropped EXE 3 IoCs
pid Process 4916 e578a5e.exe 1268 e578b58.exe 4012 e57be3f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578a5e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57be3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57be3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57be3f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be3f.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57be3f.exe File opened (read-only) \??\E: e578a5e.exe File opened (read-only) \??\J: e578a5e.exe File opened (read-only) \??\K: e578a5e.exe File opened (read-only) \??\L: e578a5e.exe File opened (read-only) \??\E: e57be3f.exe File opened (read-only) \??\G: e57be3f.exe File opened (read-only) \??\H: e57be3f.exe File opened (read-only) \??\G: e578a5e.exe File opened (read-only) \??\H: e578a5e.exe File opened (read-only) \??\I: e578a5e.exe File opened (read-only) \??\M: e578a5e.exe -
resource yara_rule behavioral2/memory/4916-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-15-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-22-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-33-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-32-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-34-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-20-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-13-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-46-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-47-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-57-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-59-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-61-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-62-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-64-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-66-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4916-68-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4012-104-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4012-125-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4012-150-0x0000000000880000-0x000000000193A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578abb e578a5e.exe File opened for modification C:\Windows\SYSTEM.INI e578a5e.exe File created C:\Windows\e57e5bc e57be3f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578a5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578b58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57be3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4916 e578a5e.exe 4916 e578a5e.exe 4916 e578a5e.exe 4916 e578a5e.exe 4012 e57be3f.exe 4012 e57be3f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe Token: SeDebugPrivilege 4916 e578a5e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1136 wrote to memory of 5112 1136 rundll32.exe 83 PID 1136 wrote to memory of 5112 1136 rundll32.exe 83 PID 1136 wrote to memory of 5112 1136 rundll32.exe 83 PID 5112 wrote to memory of 4916 5112 rundll32.exe 84 PID 5112 wrote to memory of 4916 5112 rundll32.exe 84 PID 5112 wrote to memory of 4916 5112 rundll32.exe 84 PID 4916 wrote to memory of 780 4916 e578a5e.exe 8 PID 4916 wrote to memory of 776 4916 e578a5e.exe 9 PID 4916 wrote to memory of 60 4916 e578a5e.exe 13 PID 4916 wrote to memory of 2924 4916 e578a5e.exe 49 PID 4916 wrote to memory of 748 4916 e578a5e.exe 52 PID 4916 wrote to memory of 3148 4916 e578a5e.exe 53 PID 4916 wrote to memory of 3496 4916 e578a5e.exe 56 PID 4916 wrote to memory of 3616 4916 e578a5e.exe 57 PID 4916 wrote to memory of 3792 4916 e578a5e.exe 58 PID 4916 wrote to memory of 3884 4916 e578a5e.exe 59 PID 4916 wrote to memory of 3948 4916 e578a5e.exe 60 PID 4916 wrote to memory of 4036 4916 e578a5e.exe 61 PID 4916 wrote to memory of 3160 4916 e578a5e.exe 62 PID 4916 wrote to memory of 1660 4916 e578a5e.exe 75 PID 4916 wrote to memory of 1272 4916 e578a5e.exe 76 PID 4916 wrote to memory of 2988 4916 e578a5e.exe 81 PID 4916 wrote to memory of 1136 4916 e578a5e.exe 82 PID 4916 wrote to memory of 5112 4916 e578a5e.exe 83 PID 4916 wrote to memory of 5112 4916 e578a5e.exe 83 PID 5112 wrote to memory of 1268 5112 rundll32.exe 85 PID 5112 wrote to memory of 1268 5112 rundll32.exe 85 PID 5112 wrote to memory of 1268 5112 rundll32.exe 85 PID 4916 wrote to memory of 780 4916 e578a5e.exe 8 PID 4916 wrote to memory of 776 4916 e578a5e.exe 9 PID 4916 wrote to memory of 60 4916 e578a5e.exe 13 PID 4916 wrote to memory of 2924 4916 e578a5e.exe 49 PID 4916 wrote to memory of 748 4916 e578a5e.exe 52 PID 4916 wrote to memory of 3148 4916 e578a5e.exe 53 PID 4916 wrote to memory of 3496 4916 e578a5e.exe 56 PID 4916 wrote to memory of 3616 4916 e578a5e.exe 57 PID 4916 wrote to memory of 3792 4916 e578a5e.exe 58 PID 4916 wrote to memory of 3884 4916 e578a5e.exe 59 PID 4916 wrote to memory of 3948 4916 e578a5e.exe 60 PID 4916 wrote to memory of 4036 4916 e578a5e.exe 61 PID 4916 wrote to memory of 3160 4916 e578a5e.exe 62 PID 4916 wrote to memory of 1660 4916 e578a5e.exe 75 PID 4916 wrote to memory of 1272 4916 e578a5e.exe 76 PID 4916 wrote to memory of 2988 4916 e578a5e.exe 81 PID 4916 wrote to memory of 1136 4916 e578a5e.exe 82 PID 4916 wrote to memory of 1268 4916 e578a5e.exe 85 PID 4916 wrote to memory of 1268 4916 e578a5e.exe 85 PID 5112 wrote to memory of 4012 5112 rundll32.exe 87 PID 5112 wrote to memory of 4012 5112 rundll32.exe 87 PID 5112 wrote to memory of 4012 5112 rundll32.exe 87 PID 4012 wrote to memory of 780 4012 e57be3f.exe 8 PID 4012 wrote to memory of 776 4012 e57be3f.exe 9 PID 4012 wrote to memory of 60 4012 e57be3f.exe 13 PID 4012 wrote to memory of 2924 4012 e57be3f.exe 49 PID 4012 wrote to memory of 748 4012 e57be3f.exe 52 PID 4012 wrote to memory of 3148 4012 e57be3f.exe 53 PID 4012 wrote to memory of 3496 4012 e57be3f.exe 56 PID 4012 wrote to memory of 3616 4012 e57be3f.exe 57 PID 4012 wrote to memory of 3792 4012 e57be3f.exe 58 PID 4012 wrote to memory of 3884 4012 e57be3f.exe 59 PID 4012 wrote to memory of 3948 4012 e57be3f.exe 60 PID 4012 wrote to memory of 4036 4012 e57be3f.exe 61 PID 4012 wrote to memory of 3160 4012 e57be3f.exe 62 PID 4012 wrote to memory of 1660 4012 e57be3f.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578a5e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be3f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:748
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3148
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3496
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\512bc6701aeeec677597bb773f59eb4504d424947f4392fa9338285f292f58dfN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\512bc6701aeeec677597bb773f59eb4504d424947f4392fa9338285f292f58dfN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\e578a5e.exeC:\Users\Admin\AppData\Local\Temp\e578a5e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4916
-
-
C:\Users\Admin\AppData\Local\Temp\e578b58.exeC:\Users\Admin\AppData\Local\Temp\e578b58.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\e57be3f.exeC:\Users\Admin\AppData\Local\Temp\e57be3f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4012
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3160
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1272
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2988
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD569242017077618350e6e4adb0f918971
SHA1a8f539da64224444ca19ed4b0bc4e5ccb1ff82d0
SHA256705ca6c92d00afb9bfb0fa7ca917374a566feabf78405b2f59ba818b29107146
SHA512524aa6d310a141e6e630c25ff559a4a6e33c1923c83ff40f9ea6e7e44400775eb2d4e35d1e52c16610af4bf6bd1cf7a2d24b7c86e7dae5eed3d9e8ba2b722462
-
Filesize
257B
MD59299785e06ba1cf98701e54da8679159
SHA11ca8d9a2f531339b06db831a7bf473a7265f3319
SHA2560f1ee040273f2b90279f48564903bafa87481a5bd138cad3a711e1556c754b80
SHA512b7515c5c5a1afcb19c19cde47972e5bb8ac0b09bc8d4cedf7f70bc42aea9d817d1f569b26fe98857dce108bc39b0c786b3bbbf4fa515679d3b0143e2f230ef2a