Analysis
-
max time kernel
32s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 23:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
add4cb9a3703276234a7ed01856a3e27eca8d3020af799d4b4f5cf262cee9403N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
add4cb9a3703276234a7ed01856a3e27eca8d3020af799d4b4f5cf262cee9403N.dll
-
Size
120KB
-
MD5
0db980c729bbe020a9cba9b9be55b240
-
SHA1
5234789f30ba143496d358bf8984b77553630679
-
SHA256
add4cb9a3703276234a7ed01856a3e27eca8d3020af799d4b4f5cf262cee9403
-
SHA512
e2d9220ca6bc171d280a3b6f398ee65299451a832e84edf29d48922ed9877d23e7bd7fefa492d4010d83cbd651423cd17491adb8f74d88d7b9fbf1c3cbe2746b
-
SSDEEP
3072:fwksE/5ya0RBpWco/9yGreKRjrg1QFBNWDgYRRL7:fUaytu/9yGeKZg7fT
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a70d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5775fb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a70d.exe -
Executes dropped EXE 3 IoCs
pid Process 788 e5775fb.exe 3740 e5777c0.exe 3340 e57a70d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5775fb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a70d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a70d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5775fb.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5775fb.exe File opened (read-only) \??\G: e5775fb.exe File opened (read-only) \??\H: e5775fb.exe File opened (read-only) \??\I: e5775fb.exe File opened (read-only) \??\J: e5775fb.exe File opened (read-only) \??\K: e5775fb.exe File opened (read-only) \??\E: e57a70d.exe File opened (read-only) \??\G: e57a70d.exe -
resource yara_rule behavioral2/memory/788-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-32-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-26-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-20-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-55-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-56-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-57-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-58-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-62-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/788-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3340-95-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3340-96-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3340-90-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3340-92-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3340-88-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3340-136-0x0000000000740000-0x00000000017FA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577649 e5775fb.exe File opened for modification C:\Windows\SYSTEM.INI e5775fb.exe File created C:\Windows\e57ce9a e57a70d.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a70d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5775fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5777c0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 788 e5775fb.exe 788 e5775fb.exe 788 e5775fb.exe 788 e5775fb.exe 3340 e57a70d.exe 3340 e57a70d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe Token: SeDebugPrivilege 788 e5775fb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1156 wrote to memory of 1376 1156 rundll32.exe 83 PID 1156 wrote to memory of 1376 1156 rundll32.exe 83 PID 1156 wrote to memory of 1376 1156 rundll32.exe 83 PID 1376 wrote to memory of 788 1376 rundll32.exe 84 PID 1376 wrote to memory of 788 1376 rundll32.exe 84 PID 1376 wrote to memory of 788 1376 rundll32.exe 84 PID 788 wrote to memory of 764 788 e5775fb.exe 8 PID 788 wrote to memory of 772 788 e5775fb.exe 9 PID 788 wrote to memory of 316 788 e5775fb.exe 13 PID 788 wrote to memory of 2864 788 e5775fb.exe 50 PID 788 wrote to memory of 3076 788 e5775fb.exe 51 PID 788 wrote to memory of 3228 788 e5775fb.exe 53 PID 788 wrote to memory of 3520 788 e5775fb.exe 56 PID 788 wrote to memory of 3648 788 e5775fb.exe 57 PID 788 wrote to memory of 3836 788 e5775fb.exe 58 PID 788 wrote to memory of 3948 788 e5775fb.exe 59 PID 788 wrote to memory of 4052 788 e5775fb.exe 60 PID 788 wrote to memory of 3752 788 e5775fb.exe 61 PID 788 wrote to memory of 4164 788 e5775fb.exe 62 PID 788 wrote to memory of 652 788 e5775fb.exe 74 PID 788 wrote to memory of 5024 788 e5775fb.exe 76 PID 788 wrote to memory of 5084 788 e5775fb.exe 81 PID 788 wrote to memory of 1156 788 e5775fb.exe 82 PID 788 wrote to memory of 1376 788 e5775fb.exe 83 PID 788 wrote to memory of 1376 788 e5775fb.exe 83 PID 1376 wrote to memory of 3740 1376 rundll32.exe 85 PID 1376 wrote to memory of 3740 1376 rundll32.exe 85 PID 1376 wrote to memory of 3740 1376 rundll32.exe 85 PID 788 wrote to memory of 764 788 e5775fb.exe 8 PID 788 wrote to memory of 772 788 e5775fb.exe 9 PID 788 wrote to memory of 316 788 e5775fb.exe 13 PID 788 wrote to memory of 2864 788 e5775fb.exe 50 PID 788 wrote to memory of 3076 788 e5775fb.exe 51 PID 788 wrote to memory of 3228 788 e5775fb.exe 53 PID 788 wrote to memory of 3520 788 e5775fb.exe 56 PID 788 wrote to memory of 3648 788 e5775fb.exe 57 PID 788 wrote to memory of 3836 788 e5775fb.exe 58 PID 788 wrote to memory of 3948 788 e5775fb.exe 59 PID 788 wrote to memory of 4052 788 e5775fb.exe 60 PID 788 wrote to memory of 3752 788 e5775fb.exe 61 PID 788 wrote to memory of 4164 788 e5775fb.exe 62 PID 788 wrote to memory of 652 788 e5775fb.exe 74 PID 788 wrote to memory of 5024 788 e5775fb.exe 76 PID 788 wrote to memory of 5084 788 e5775fb.exe 81 PID 788 wrote to memory of 1156 788 e5775fb.exe 82 PID 788 wrote to memory of 3740 788 e5775fb.exe 85 PID 788 wrote to memory of 3740 788 e5775fb.exe 85 PID 1376 wrote to memory of 3340 1376 rundll32.exe 86 PID 1376 wrote to memory of 3340 1376 rundll32.exe 86 PID 1376 wrote to memory of 3340 1376 rundll32.exe 86 PID 3340 wrote to memory of 764 3340 e57a70d.exe 8 PID 3340 wrote to memory of 772 3340 e57a70d.exe 9 PID 3340 wrote to memory of 316 3340 e57a70d.exe 13 PID 3340 wrote to memory of 2864 3340 e57a70d.exe 50 PID 3340 wrote to memory of 3076 3340 e57a70d.exe 51 PID 3340 wrote to memory of 3228 3340 e57a70d.exe 53 PID 3340 wrote to memory of 3520 3340 e57a70d.exe 56 PID 3340 wrote to memory of 3648 3340 e57a70d.exe 57 PID 3340 wrote to memory of 3836 3340 e57a70d.exe 58 PID 3340 wrote to memory of 3948 3340 e57a70d.exe 59 PID 3340 wrote to memory of 4052 3340 e57a70d.exe 60 PID 3340 wrote to memory of 3752 3340 e57a70d.exe 61 PID 3340 wrote to memory of 4164 3340 e57a70d.exe 62 PID 3340 wrote to memory of 652 3340 e57a70d.exe 74 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5775fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a70d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3076
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3228
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\add4cb9a3703276234a7ed01856a3e27eca8d3020af799d4b4f5cf262cee9403N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\add4cb9a3703276234a7ed01856a3e27eca8d3020af799d4b4f5cf262cee9403N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\e5775fb.exeC:\Users\Admin\AppData\Local\Temp\e5775fb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:788
-
-
C:\Users\Admin\AppData\Local\Temp\e5777c0.exeC:\Users\Admin\AppData\Local\Temp\e5777c0.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\e57a70d.exeC:\Users\Admin\AppData\Local\Temp\e57a70d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3340
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3836
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4052
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3752
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4164
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5024
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5084
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD526373cbf0130eea449564bdfe321af16
SHA1bc94cfdfed5dfdf826453842741fc4d8651bb694
SHA256c27df0a9163b2c2457fbf42017a3c312c358c35a6661b4adcbc40688a0543672
SHA512cdea2cc92540fa07957c8daacf2d3928537144b09fed166057dcd4f849e3e8df53e0ad70da86d340938e11f46a9ec4dd2b06c71d5828c7e7887343e7ae70860b
-
Filesize
257B
MD587b949447ac4db8810c60ce4d678dcd6
SHA17436ecb0e1127b2db0d1d708ce2198a0eea50f0f
SHA2562fb4ea0fb571e9b51c3983c5a088ae3edc5fe5459b4dfd05f280eaee67ac525f
SHA51270446d07b9fe14c62fa8a7fc5bf2a14c5f40dfe910e014d4bddaf2c78947054c2e21fc6875cc344ab66afc8cbc7ee89a50710f8887e48123b5b338410b7819a5