Analysis
-
max time kernel
30s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 02:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
424310c8d96f7510c09c2b4263088543872b9d9f56b005a1ad41096c22323505N.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
424310c8d96f7510c09c2b4263088543872b9d9f56b005a1ad41096c22323505N.dll
-
Size
120KB
-
MD5
d02301f1313a242f4b37b99019210830
-
SHA1
b1742734cf1390b119e108195bbe0e466ad59a5e
-
SHA256
424310c8d96f7510c09c2b4263088543872b9d9f56b005a1ad41096c22323505
-
SHA512
1451a0de8b27a4880e18945d852874b884bd36d01eaa2991a0afbe4729677983fa9b7004c3e8fc908fbd2a9b4e4d4aa76d347bf64681a99445ccc328c76b7b98
-
SSDEEP
3072:/v+1x+3wXG+GQNg/3v285fvevIEdBIeirFzBYVv:/v+1DvE/285yRTIemiR
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579078.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579078.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b90f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b90f.exe -
Executes dropped EXE 4 IoCs
pid Process 3840 e579078.exe 1408 e5791d0.exe 2276 e57b8e0.exe 2816 e57b90f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579078.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b90f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b90f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b90f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b90f.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e579078.exe File opened (read-only) \??\E: e57b90f.exe File opened (read-only) \??\G: e57b90f.exe File opened (read-only) \??\G: e579078.exe File opened (read-only) \??\H: e579078.exe File opened (read-only) \??\I: e579078.exe File opened (read-only) \??\J: e579078.exe File opened (read-only) \??\K: e579078.exe File opened (read-only) \??\H: e57b90f.exe File opened (read-only) \??\I: e57b90f.exe File opened (read-only) \??\E: e579078.exe File opened (read-only) \??\M: e579078.exe File opened (read-only) \??\N: e579078.exe -
resource yara_rule behavioral2/memory/3840-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-10-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-29-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-33-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-12-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-36-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-28-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-19-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-11-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-9-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-8-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-37-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-38-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-39-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-40-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-41-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-70-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-72-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-73-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-75-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-76-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-77-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-79-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-84-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3840-94-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2816-126-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/2816-170-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e579078.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e579078.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e579078.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57e138 e57b90f.exe File created C:\Windows\e5790e6 e579078.exe File opened for modification C:\Windows\SYSTEM.INI e579078.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5791d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b8e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b90f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579078.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3840 e579078.exe 3840 e579078.exe 3840 e579078.exe 3840 e579078.exe 2816 e57b90f.exe 2816 e57b90f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe Token: SeDebugPrivilege 3840 e579078.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 1516 632 rundll32.exe 83 PID 632 wrote to memory of 1516 632 rundll32.exe 83 PID 632 wrote to memory of 1516 632 rundll32.exe 83 PID 1516 wrote to memory of 3840 1516 rundll32.exe 84 PID 1516 wrote to memory of 3840 1516 rundll32.exe 84 PID 1516 wrote to memory of 3840 1516 rundll32.exe 84 PID 3840 wrote to memory of 784 3840 e579078.exe 8 PID 3840 wrote to memory of 792 3840 e579078.exe 9 PID 3840 wrote to memory of 316 3840 e579078.exe 13 PID 3840 wrote to memory of 2876 3840 e579078.exe 49 PID 3840 wrote to memory of 2892 3840 e579078.exe 50 PID 3840 wrote to memory of 3008 3840 e579078.exe 51 PID 3840 wrote to memory of 3424 3840 e579078.exe 56 PID 3840 wrote to memory of 3552 3840 e579078.exe 57 PID 3840 wrote to memory of 3732 3840 e579078.exe 58 PID 3840 wrote to memory of 3820 3840 e579078.exe 59 PID 3840 wrote to memory of 3888 3840 e579078.exe 60 PID 3840 wrote to memory of 3964 3840 e579078.exe 61 PID 3840 wrote to memory of 4020 3840 e579078.exe 62 PID 3840 wrote to memory of 4292 3840 e579078.exe 64 PID 3840 wrote to memory of 4544 3840 e579078.exe 76 PID 3840 wrote to memory of 1872 3840 e579078.exe 81 PID 3840 wrote to memory of 632 3840 e579078.exe 82 PID 3840 wrote to memory of 1516 3840 e579078.exe 83 PID 3840 wrote to memory of 1516 3840 e579078.exe 83 PID 1516 wrote to memory of 1408 1516 rundll32.exe 85 PID 1516 wrote to memory of 1408 1516 rundll32.exe 85 PID 1516 wrote to memory of 1408 1516 rundll32.exe 85 PID 1516 wrote to memory of 2276 1516 rundll32.exe 86 PID 1516 wrote to memory of 2276 1516 rundll32.exe 86 PID 1516 wrote to memory of 2276 1516 rundll32.exe 86 PID 1516 wrote to memory of 2816 1516 rundll32.exe 87 PID 1516 wrote to memory of 2816 1516 rundll32.exe 87 PID 1516 wrote to memory of 2816 1516 rundll32.exe 87 PID 3840 wrote to memory of 784 3840 e579078.exe 8 PID 3840 wrote to memory of 792 3840 e579078.exe 9 PID 3840 wrote to memory of 316 3840 e579078.exe 13 PID 3840 wrote to memory of 2876 3840 e579078.exe 49 PID 3840 wrote to memory of 2892 3840 e579078.exe 50 PID 3840 wrote to memory of 3008 3840 e579078.exe 51 PID 3840 wrote to memory of 3424 3840 e579078.exe 56 PID 3840 wrote to memory of 3552 3840 e579078.exe 57 PID 3840 wrote to memory of 3732 3840 e579078.exe 58 PID 3840 wrote to memory of 3820 3840 e579078.exe 59 PID 3840 wrote to memory of 3888 3840 e579078.exe 60 PID 3840 wrote to memory of 3964 3840 e579078.exe 61 PID 3840 wrote to memory of 4020 3840 e579078.exe 62 PID 3840 wrote to memory of 4292 3840 e579078.exe 64 PID 3840 wrote to memory of 4544 3840 e579078.exe 76 PID 3840 wrote to memory of 1872 3840 e579078.exe 81 PID 3840 wrote to memory of 1408 3840 e579078.exe 85 PID 3840 wrote to memory of 1408 3840 e579078.exe 85 PID 3840 wrote to memory of 2276 3840 e579078.exe 86 PID 3840 wrote to memory of 2276 3840 e579078.exe 86 PID 3840 wrote to memory of 2816 3840 e579078.exe 87 PID 3840 wrote to memory of 2816 3840 e579078.exe 87 PID 2816 wrote to memory of 784 2816 e57b90f.exe 8 PID 2816 wrote to memory of 792 2816 e57b90f.exe 9 PID 2816 wrote to memory of 316 2816 e57b90f.exe 13 PID 2816 wrote to memory of 2876 2816 e57b90f.exe 49 PID 2816 wrote to memory of 2892 2816 e57b90f.exe 50 PID 2816 wrote to memory of 3008 2816 e57b90f.exe 51 PID 2816 wrote to memory of 3424 2816 e57b90f.exe 56 PID 2816 wrote to memory of 3552 2816 e57b90f.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b90f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2892
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\424310c8d96f7510c09c2b4263088543872b9d9f56b005a1ad41096c22323505N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\424310c8d96f7510c09c2b4263088543872b9d9f56b005a1ad41096c22323505N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\e579078.exeC:\Users\Admin\AppData\Local\Temp\e579078.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\e5791d0.exeC:\Users\Admin\AppData\Local\Temp\e5791d0.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\e57b8e0.exeC:\Users\Admin\AppData\Local\Temp\e57b8e0.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\e57b90f.exeC:\Users\Admin\AppData\Local\Temp\e57b90f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4292
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4544
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1880
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD515b966074d01fceb44f96fa4016ae847
SHA1fb7452f66282f0e8dc0b9e69bd5be8f1bd2310b1
SHA2568954e3d9ba711ae255f1027abaf9916a363c4d76ab77b601dc989f59be303e46
SHA512e4041612d1ba4b1d62c1dd3be5b4ce5d31dc703b8759011d9fc52799604863d25302d35015ad3aef2c425b0a8a14074a952de745ff55b57b2f0471e4fae1a223
-
Filesize
257B
MD5b6ce979521419c3d711237f88c1c4392
SHA1ac9eff24a23fb6645028d9fcb744467283e15b73
SHA256ae8adc1e585bf220556e28ee5b02838b2ca745a4419a3282f34be2d83e024854
SHA5125b4df047a6ab790f922c5ba37ec8758884da11b5076b54dc0f332ee706a8a4cfd7b2f78d5f7e3083f5753a755d89cc2af846000ce7a1bf7987f40db857422dd7