Analysis
-
max time kernel
103s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 15:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fd3b018c606d8b50ffbff36b103fe6fa25b822a9669061eef2f65d52d6880002N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
fd3b018c606d8b50ffbff36b103fe6fa25b822a9669061eef2f65d52d6880002N.dll
-
Size
120KB
-
MD5
d1471a76ba6f37944a94ada05571ca00
-
SHA1
64ecd2ea624a43e91cc02a919ae2df22684ccee8
-
SHA256
fd3b018c606d8b50ffbff36b103fe6fa25b822a9669061eef2f65d52d6880002
-
SHA512
12969cca4d657fcf3bf9a655cd97ffdc5204abd509085e469de45ec8d920b3bcd711c721d02fed2e347d819535a9090e9690c29d8a4c16704a692d3bce54af7a
-
SSDEEP
3072:U0ehl0bWAX22pbZUlqGdXlaYU8vOiUGM:z2l0bWAX22NelquaYjE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5758de.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577753.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577753.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5758de.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577753.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577753.exe -
Executes dropped EXE 4 IoCs
pid Process 728 e5758de.exe 1840 e575a45.exe 1016 e577753.exe 1512 e577772.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577753.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5758de.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577753.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577753.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577753.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: e5758de.exe File opened (read-only) \??\P: e5758de.exe File opened (read-only) \??\E: e5758de.exe File opened (read-only) \??\G: e5758de.exe File opened (read-only) \??\J: e5758de.exe File opened (read-only) \??\K: e5758de.exe File opened (read-only) \??\L: e5758de.exe File opened (read-only) \??\N: e5758de.exe File opened (read-only) \??\O: e5758de.exe File opened (read-only) \??\H: e5758de.exe File opened (read-only) \??\I: e5758de.exe -
resource yara_rule behavioral2/memory/728-8-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-25-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-33-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-34-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-13-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-32-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-12-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-39-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-40-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-42-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-43-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-59-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-60-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-73-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-75-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-78-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-80-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-82-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-84-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-86-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-87-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/728-90-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1016-139-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/1016-144-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5758de.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5758de.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5758de.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5758de.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57596a e5758de.exe File opened for modification C:\Windows\SYSTEM.INI e5758de.exe File created C:\Windows\e57c5f0 e577753.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5758de.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e575a45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577753.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577772.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 728 e5758de.exe 728 e5758de.exe 728 e5758de.exe 728 e5758de.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe Token: SeDebugPrivilege 728 e5758de.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 328 wrote to memory of 4116 328 rundll32.exe 85 PID 328 wrote to memory of 4116 328 rundll32.exe 85 PID 328 wrote to memory of 4116 328 rundll32.exe 85 PID 4116 wrote to memory of 728 4116 rundll32.exe 86 PID 4116 wrote to memory of 728 4116 rundll32.exe 86 PID 4116 wrote to memory of 728 4116 rundll32.exe 86 PID 728 wrote to memory of 776 728 e5758de.exe 8 PID 728 wrote to memory of 780 728 e5758de.exe 9 PID 728 wrote to memory of 64 728 e5758de.exe 13 PID 728 wrote to memory of 2996 728 e5758de.exe 51 PID 728 wrote to memory of 3068 728 e5758de.exe 52 PID 728 wrote to memory of 2684 728 e5758de.exe 53 PID 728 wrote to memory of 3428 728 e5758de.exe 56 PID 728 wrote to memory of 3556 728 e5758de.exe 57 PID 728 wrote to memory of 3768 728 e5758de.exe 58 PID 728 wrote to memory of 3860 728 e5758de.exe 59 PID 728 wrote to memory of 3924 728 e5758de.exe 60 PID 728 wrote to memory of 4024 728 e5758de.exe 61 PID 728 wrote to memory of 4196 728 e5758de.exe 62 PID 728 wrote to memory of 4152 728 e5758de.exe 74 PID 728 wrote to memory of 3968 728 e5758de.exe 76 PID 728 wrote to memory of 3836 728 e5758de.exe 83 PID 728 wrote to memory of 328 728 e5758de.exe 84 PID 728 wrote to memory of 4116 728 e5758de.exe 85 PID 728 wrote to memory of 4116 728 e5758de.exe 85 PID 4116 wrote to memory of 1840 4116 rundll32.exe 87 PID 4116 wrote to memory of 1840 4116 rundll32.exe 87 PID 4116 wrote to memory of 1840 4116 rundll32.exe 87 PID 4116 wrote to memory of 1016 4116 rundll32.exe 89 PID 4116 wrote to memory of 1016 4116 rundll32.exe 89 PID 4116 wrote to memory of 1016 4116 rundll32.exe 89 PID 4116 wrote to memory of 1512 4116 rundll32.exe 90 PID 4116 wrote to memory of 1512 4116 rundll32.exe 90 PID 4116 wrote to memory of 1512 4116 rundll32.exe 90 PID 728 wrote to memory of 776 728 e5758de.exe 8 PID 728 wrote to memory of 780 728 e5758de.exe 9 PID 728 wrote to memory of 64 728 e5758de.exe 13 PID 728 wrote to memory of 2996 728 e5758de.exe 51 PID 728 wrote to memory of 3068 728 e5758de.exe 52 PID 728 wrote to memory of 2684 728 e5758de.exe 53 PID 728 wrote to memory of 3428 728 e5758de.exe 56 PID 728 wrote to memory of 3556 728 e5758de.exe 57 PID 728 wrote to memory of 3768 728 e5758de.exe 58 PID 728 wrote to memory of 3860 728 e5758de.exe 59 PID 728 wrote to memory of 3924 728 e5758de.exe 60 PID 728 wrote to memory of 4024 728 e5758de.exe 61 PID 728 wrote to memory of 4196 728 e5758de.exe 62 PID 728 wrote to memory of 4152 728 e5758de.exe 74 PID 728 wrote to memory of 3968 728 e5758de.exe 76 PID 728 wrote to memory of 1840 728 e5758de.exe 87 PID 728 wrote to memory of 1840 728 e5758de.exe 87 PID 728 wrote to memory of 1016 728 e5758de.exe 89 PID 728 wrote to memory of 1016 728 e5758de.exe 89 PID 728 wrote to memory of 1512 728 e5758de.exe 90 PID 728 wrote to memory of 1512 728 e5758de.exe 90 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5758de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577753.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3068
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd3b018c606d8b50ffbff36b103fe6fa25b822a9669061eef2f65d52d6880002N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd3b018c606d8b50ffbff36b103fe6fa25b822a9669061eef2f65d52d6880002N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\e5758de.exeC:\Users\Admin\AppData\Local\Temp\e5758de.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:728
-
-
C:\Users\Admin\AppData\Local\Temp\e575a45.exeC:\Users\Admin\AppData\Local\Temp\e575a45.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\e577753.exeC:\Users\Admin\AppData\Local\Temp\e577753.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\e577772.exeC:\Users\Admin\AppData\Local\Temp\e577772.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4196
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4152
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3968
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3836
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5119312925e063b250720a1b3b2ee8d89
SHA151548a0178a002950c2e9ba55f017fb69ddeab8b
SHA256094e9819ab1b91a313c8916450d1025caf430196729871ea935c915473160974
SHA5121f9e19fa694e140884ec7cb38d2dcdb6d57e207daf70f5dbfba4ccf1c189135ccb0c7e7e2a86dddfb47781d382c088d4ccb1eec7adeaaaa3fdd110941bfa70fc
-
Filesize
257B
MD57bf638eb1bf34fd81f0358f8e7665e28
SHA1502152453f01547ef3e9cc87c4553f503b2e0e82
SHA2563d2bd8da79dc0f81389494fa3a54b558a929e49e61d9489427e92390ac27e2a3
SHA512001264af41eff5499680132f1037ad76ce14a6bc987654bde86320afebec96b7e11fff82aff8379d8436d6a3f934618b6954fa98bd914e0d8780bdd18cbf0e35