Analysis
-
max time kernel
92s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 00:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll
-
Size
120KB
-
MD5
790dc15e1a2dbcf016963904499a8520
-
SHA1
87786547ed264dcc5958ac4b207a45663fe43cca
-
SHA256
654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fd
-
SHA512
09d0533f48f9d8d7e9e0dfc3e2c868245005ec32b19e97aeefa38fffa023d05fcb381dcb11535324ff72b220910346f219c6942b84127a02eb9af3118d77167e
-
SSDEEP
1536:zr+6wOnMvsnZJjb2HXki8L2TkWZJVxUbVeessIaGiyLyxTJQp6tSDEDHfI:Hp6vSB2HtgHWZ3xUZedH2/9O6wD4
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579f0f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5774a3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579f0f.exe -
Executes dropped EXE 3 IoCs
pid Process 4828 e5774a3.exe 2004 e5776c6.exe 4572 e579f0f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579f0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5774a3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579f0f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579f0f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f0f.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e5774a3.exe File opened (read-only) \??\E: e579f0f.exe File opened (read-only) \??\G: e579f0f.exe File opened (read-only) \??\I: e579f0f.exe File opened (read-only) \??\G: e5774a3.exe File opened (read-only) \??\I: e5774a3.exe File opened (read-only) \??\J: e5774a3.exe File opened (read-only) \??\H: e579f0f.exe File opened (read-only) \??\J: e579f0f.exe File opened (read-only) \??\E: e5774a3.exe File opened (read-only) \??\H: e5774a3.exe File opened (read-only) \??\K: e5774a3.exe -
resource yara_rule behavioral2/memory/4828-6-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-30-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-25-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-31-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-33-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-8-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-34-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-35-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-39-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-54-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-56-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-58-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-60-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-61-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-62-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4828-65-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4572-107-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4572-93-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4572-91-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4572-141-0x00000000007D0000-0x000000000188A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57756e e5774a3.exe File opened for modification C:\Windows\SYSTEM.INI e5774a3.exe File created C:\Windows\e57c69c e579f0f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5774a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5776c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579f0f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4828 e5774a3.exe 4828 e5774a3.exe 4828 e5774a3.exe 4828 e5774a3.exe 4572 e579f0f.exe 4572 e579f0f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe Token: SeDebugPrivilege 4828 e5774a3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 2016 5052 rundll32.exe 83 PID 5052 wrote to memory of 2016 5052 rundll32.exe 83 PID 5052 wrote to memory of 2016 5052 rundll32.exe 83 PID 2016 wrote to memory of 4828 2016 rundll32.exe 84 PID 2016 wrote to memory of 4828 2016 rundll32.exe 84 PID 2016 wrote to memory of 4828 2016 rundll32.exe 84 PID 4828 wrote to memory of 792 4828 e5774a3.exe 9 PID 4828 wrote to memory of 800 4828 e5774a3.exe 10 PID 4828 wrote to memory of 60 4828 e5774a3.exe 13 PID 4828 wrote to memory of 2964 4828 e5774a3.exe 51 PID 4828 wrote to memory of 3024 4828 e5774a3.exe 52 PID 4828 wrote to memory of 2636 4828 e5774a3.exe 53 PID 4828 wrote to memory of 3436 4828 e5774a3.exe 56 PID 4828 wrote to memory of 3564 4828 e5774a3.exe 57 PID 4828 wrote to memory of 3740 4828 e5774a3.exe 58 PID 4828 wrote to memory of 3840 4828 e5774a3.exe 59 PID 4828 wrote to memory of 3904 4828 e5774a3.exe 60 PID 4828 wrote to memory of 3992 4828 e5774a3.exe 61 PID 4828 wrote to memory of 4112 4828 e5774a3.exe 62 PID 4828 wrote to memory of 2316 4828 e5774a3.exe 64 PID 4828 wrote to memory of 1800 4828 e5774a3.exe 76 PID 4828 wrote to memory of 1640 4828 e5774a3.exe 81 PID 4828 wrote to memory of 5052 4828 e5774a3.exe 82 PID 4828 wrote to memory of 2016 4828 e5774a3.exe 83 PID 4828 wrote to memory of 2016 4828 e5774a3.exe 83 PID 2016 wrote to memory of 2004 2016 rundll32.exe 85 PID 2016 wrote to memory of 2004 2016 rundll32.exe 85 PID 2016 wrote to memory of 2004 2016 rundll32.exe 85 PID 4828 wrote to memory of 792 4828 e5774a3.exe 9 PID 4828 wrote to memory of 800 4828 e5774a3.exe 10 PID 4828 wrote to memory of 60 4828 e5774a3.exe 13 PID 4828 wrote to memory of 2964 4828 e5774a3.exe 51 PID 4828 wrote to memory of 3024 4828 e5774a3.exe 52 PID 4828 wrote to memory of 2636 4828 e5774a3.exe 53 PID 4828 wrote to memory of 3436 4828 e5774a3.exe 56 PID 4828 wrote to memory of 3564 4828 e5774a3.exe 57 PID 4828 wrote to memory of 3740 4828 e5774a3.exe 58 PID 4828 wrote to memory of 3840 4828 e5774a3.exe 59 PID 4828 wrote to memory of 3904 4828 e5774a3.exe 60 PID 4828 wrote to memory of 3992 4828 e5774a3.exe 61 PID 4828 wrote to memory of 4112 4828 e5774a3.exe 62 PID 4828 wrote to memory of 2316 4828 e5774a3.exe 64 PID 4828 wrote to memory of 1800 4828 e5774a3.exe 76 PID 4828 wrote to memory of 1640 4828 e5774a3.exe 81 PID 4828 wrote to memory of 5052 4828 e5774a3.exe 82 PID 4828 wrote to memory of 2004 4828 e5774a3.exe 85 PID 4828 wrote to memory of 2004 4828 e5774a3.exe 85 PID 2016 wrote to memory of 4572 2016 rundll32.exe 86 PID 2016 wrote to memory of 4572 2016 rundll32.exe 86 PID 2016 wrote to memory of 4572 2016 rundll32.exe 86 PID 4572 wrote to memory of 792 4572 e579f0f.exe 9 PID 4572 wrote to memory of 800 4572 e579f0f.exe 10 PID 4572 wrote to memory of 60 4572 e579f0f.exe 13 PID 4572 wrote to memory of 2964 4572 e579f0f.exe 51 PID 4572 wrote to memory of 3024 4572 e579f0f.exe 52 PID 4572 wrote to memory of 2636 4572 e579f0f.exe 53 PID 4572 wrote to memory of 3436 4572 e579f0f.exe 56 PID 4572 wrote to memory of 3564 4572 e579f0f.exe 57 PID 4572 wrote to memory of 3740 4572 e579f0f.exe 58 PID 4572 wrote to memory of 3840 4572 e579f0f.exe 59 PID 4572 wrote to memory of 3904 4572 e579f0f.exe 60 PID 4572 wrote to memory of 3992 4572 e579f0f.exe 61 PID 4572 wrote to memory of 4112 4572 e579f0f.exe 62 PID 4572 wrote to memory of 2316 4572 e579f0f.exe 64 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5774a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f0f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3024
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\e5774a3.exeC:\Users\Admin\AppData\Local\Temp\e5774a3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\e5776c6.exeC:\Users\Admin\AppData\Local\Temp\e5776c6.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\e579f0f.exeC:\Users\Admin\AppData\Local\Temp\e579f0f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4572
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2316
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1800
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1640
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58d9158a452f25b00b23bf24c12aba973
SHA115f6e0d90369baf96915e63824e93505f9cd90f9
SHA2568cdc190d8c5f59844dae0893a10ae105ec03d198da026b157ca217fe29d9cb52
SHA5121a58a02b22bd6549be93f4613915557b8e7553cc2722e51e9af7ecbb88427f8c5eb156cc176fa1c40031cc16e5f2609336b6d846fc6a3120ec97d628259a0366
-
Filesize
257B
MD5316afbdf3fe55c30aff404818af73f2c
SHA1ba5ec5c6be441a767ec23100b4fac1672dd7f466
SHA256f5a13b3d512a1fb4acf8fbc4df7a60ba4e235bd79de07afc6ea3b639473f0d02
SHA512ad23518b490015b422b9c38d3d7bb08094602dedea5b2632f4fc0bd0dd4a84081c2c1c72917aebab796118bd8266b5f1fc048109f3e54c4677802756597a8d67