Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3361fd892cf06af1e3637de2ce648e4e16b63e9dfe0a09c7a7e662f7cd16a451N.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3361fd892cf06af1e3637de2ce648e4e16b63e9dfe0a09c7a7e662f7cd16a451N.dll
-
Size
120KB
-
MD5
fe6bbb5f85656ad1950ebb48f8741850
-
SHA1
5f3cb0db6bfe7540619529dd6d5a46196f17fe60
-
SHA256
3361fd892cf06af1e3637de2ce648e4e16b63e9dfe0a09c7a7e662f7cd16a451
-
SHA512
63277cd3d889458646ad7d493a1fb93dcb68c5f102a47c4116ec629761c2cde25c7fcc1148148b1de6558110b21fc715b510594339f0efa3ee97770122225853
-
SSDEEP
1536:vZDGkT7gCWeMEr+T/cH5FayktsSv3P9RydafYcqq2MrokM6a846eLGqDOM:JGkRPMESbwFDSX9oMfYnkrXeyqDOM
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577203.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57949f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57949f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577203.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57949f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57949f.exe -
Executes dropped EXE 4 IoCs
pid Process 1984 e577203.exe 1844 e5774a3.exe 1016 e57947f.exe 3428 e57949f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577203.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57949f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57949f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57949f.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e577203.exe File opened (read-only) \??\M: e577203.exe File opened (read-only) \??\N: e577203.exe File opened (read-only) \??\H: e57949f.exe File opened (read-only) \??\H: e577203.exe File opened (read-only) \??\G: e577203.exe File opened (read-only) \??\I: e577203.exe File opened (read-only) \??\J: e577203.exe File opened (read-only) \??\K: e577203.exe File opened (read-only) \??\E: e57949f.exe File opened (read-only) \??\G: e57949f.exe File opened (read-only) \??\E: e577203.exe -
resource yara_rule behavioral2/memory/1984-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-29-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-21-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-20-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-52-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-51-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-67-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-68-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-70-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-71-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-72-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-74-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-77-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-78-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-80-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1984-82-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3428-117-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/3428-155-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5772a0 e577203.exe File opened for modification C:\Windows\SYSTEM.INI e577203.exe File created C:\Windows\e57c3cd e57949f.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57947f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57949f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577203.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5774a3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1984 e577203.exe 1984 e577203.exe 1984 e577203.exe 1984 e577203.exe 3428 e57949f.exe 3428 e57949f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe Token: SeDebugPrivilege 1984 e577203.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 3108 1260 rundll32.exe 83 PID 1260 wrote to memory of 3108 1260 rundll32.exe 83 PID 1260 wrote to memory of 3108 1260 rundll32.exe 83 PID 3108 wrote to memory of 1984 3108 rundll32.exe 84 PID 3108 wrote to memory of 1984 3108 rundll32.exe 84 PID 3108 wrote to memory of 1984 3108 rundll32.exe 84 PID 1984 wrote to memory of 788 1984 e577203.exe 9 PID 1984 wrote to memory of 796 1984 e577203.exe 10 PID 1984 wrote to memory of 316 1984 e577203.exe 13 PID 1984 wrote to memory of 2652 1984 e577203.exe 44 PID 1984 wrote to memory of 2664 1984 e577203.exe 45 PID 1984 wrote to memory of 2844 1984 e577203.exe 51 PID 1984 wrote to memory of 3488 1984 e577203.exe 56 PID 1984 wrote to memory of 3632 1984 e577203.exe 57 PID 1984 wrote to memory of 3848 1984 e577203.exe 58 PID 1984 wrote to memory of 3940 1984 e577203.exe 59 PID 1984 wrote to memory of 4000 1984 e577203.exe 60 PID 1984 wrote to memory of 4088 1984 e577203.exe 61 PID 1984 wrote to memory of 3844 1984 e577203.exe 62 PID 1984 wrote to memory of 4116 1984 e577203.exe 75 PID 1984 wrote to memory of 1040 1984 e577203.exe 76 PID 1984 wrote to memory of 1968 1984 e577203.exe 81 PID 1984 wrote to memory of 1260 1984 e577203.exe 82 PID 1984 wrote to memory of 3108 1984 e577203.exe 83 PID 1984 wrote to memory of 3108 1984 e577203.exe 83 PID 3108 wrote to memory of 1844 3108 rundll32.exe 85 PID 3108 wrote to memory of 1844 3108 rundll32.exe 85 PID 3108 wrote to memory of 1844 3108 rundll32.exe 85 PID 3108 wrote to memory of 1016 3108 rundll32.exe 88 PID 3108 wrote to memory of 1016 3108 rundll32.exe 88 PID 3108 wrote to memory of 1016 3108 rundll32.exe 88 PID 3108 wrote to memory of 3428 3108 rundll32.exe 89 PID 3108 wrote to memory of 3428 3108 rundll32.exe 89 PID 3108 wrote to memory of 3428 3108 rundll32.exe 89 PID 1984 wrote to memory of 788 1984 e577203.exe 9 PID 1984 wrote to memory of 796 1984 e577203.exe 10 PID 1984 wrote to memory of 316 1984 e577203.exe 13 PID 1984 wrote to memory of 2652 1984 e577203.exe 44 PID 1984 wrote to memory of 2664 1984 e577203.exe 45 PID 1984 wrote to memory of 2844 1984 e577203.exe 51 PID 1984 wrote to memory of 3488 1984 e577203.exe 56 PID 1984 wrote to memory of 3632 1984 e577203.exe 57 PID 1984 wrote to memory of 3848 1984 e577203.exe 58 PID 1984 wrote to memory of 3940 1984 e577203.exe 59 PID 1984 wrote to memory of 4000 1984 e577203.exe 60 PID 1984 wrote to memory of 4088 1984 e577203.exe 61 PID 1984 wrote to memory of 3844 1984 e577203.exe 62 PID 1984 wrote to memory of 4116 1984 e577203.exe 75 PID 1984 wrote to memory of 1040 1984 e577203.exe 76 PID 1984 wrote to memory of 1968 1984 e577203.exe 81 PID 1984 wrote to memory of 1844 1984 e577203.exe 85 PID 1984 wrote to memory of 1844 1984 e577203.exe 85 PID 1984 wrote to memory of 1016 1984 e577203.exe 88 PID 1984 wrote to memory of 1016 1984 e577203.exe 88 PID 1984 wrote to memory of 3428 1984 e577203.exe 89 PID 1984 wrote to memory of 3428 1984 e577203.exe 89 PID 3428 wrote to memory of 788 3428 e57949f.exe 9 PID 3428 wrote to memory of 796 3428 e57949f.exe 10 PID 3428 wrote to memory of 316 3428 e57949f.exe 13 PID 3428 wrote to memory of 2652 3428 e57949f.exe 44 PID 3428 wrote to memory of 2664 3428 e57949f.exe 45 PID 3428 wrote to memory of 2844 3428 e57949f.exe 51 PID 3428 wrote to memory of 3488 3428 e57949f.exe 56 PID 3428 wrote to memory of 3632 3428 e57949f.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57949f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577203.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3361fd892cf06af1e3637de2ce648e4e16b63e9dfe0a09c7a7e662f7cd16a451N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3361fd892cf06af1e3637de2ce648e4e16b63e9dfe0a09c7a7e662f7cd16a451N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\e577203.exeC:\Users\Admin\AppData\Local\Temp\e577203.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\e5774a3.exeC:\Users\Admin\AppData\Local\Temp\e5774a3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\e57947f.exeC:\Users\Admin\AppData\Local\Temp\e57947f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\e57949f.exeC:\Users\Admin\AppData\Local\Temp\e57949f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3428
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3844
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1040
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57d07645cd46cc95b1014dd4d72e5668f
SHA14c72570bda19d4b3262b6f2ed0b77403fea7b435
SHA2568beccb3927f6c97abc29599c32e57014f30d6efdc5f5903f53b7a39126dc4708
SHA512ffec58a2029a0dc11f6c8e26f0db81fcd5df027902aad6a891ad0355c774b721807ccbf70825a00289110b2018c6468793e1cf21ed9dc07a5242d63a301d490f
-
Filesize
257B
MD5cd0930d2ed9cf2e40979c09433bfb61d
SHA16e275590c24ec878dd9c24615d1736de798bad98
SHA256aa0d748112b0a9f73438d5128a80742651d48f8dae34d84075c42db873fa4a9d
SHA5127ee513d27d6a3cab0282b557e8e09be746258f364f245b3012238c621989f4fb14580cb223114ccf2a547c5836a5bb7340801209db033a5b125e1b114b81315c