Analysis
-
max time kernel
32s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 17:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eec132b75875bb6fa9c3f8d9d27eb7165f9d927be8bbb038654b78b68479adceN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
eec132b75875bb6fa9c3f8d9d27eb7165f9d927be8bbb038654b78b68479adceN.dll
-
Size
120KB
-
MD5
5e9a40d806c27dba6088749724e1baf0
-
SHA1
11e59a1cecbbd675a7bf2c2153ad63e9686f1059
-
SHA256
eec132b75875bb6fa9c3f8d9d27eb7165f9d927be8bbb038654b78b68479adce
-
SHA512
d0b8dfe8daafe2853a5dad8255eff026f380c377cddf60da9f71d5efd1099ecd4076ca7020849590ec745b70879e8c4436d1d79e5a8e5df36a7564d39866f50b
-
SSDEEP
1536:bwF4Tnpl3i5tzFCcEqq9BkMR8KArnY4GB1WcTV+S7uYSFnMq67Zzk8nFa:cuzzyBFCbL96MR8vrnt6lRixFnhM
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a901.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a901.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5775dc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5775dc.exe -
Executes dropped EXE 3 IoCs
pid Process 1952 e5775dc.exe 1724 e577705.exe 3704 e57a901.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5775dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a901.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a901.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5775dc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a901.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57a901.exe File opened (read-only) \??\E: e5775dc.exe File opened (read-only) \??\G: e5775dc.exe File opened (read-only) \??\H: e5775dc.exe File opened (read-only) \??\I: e5775dc.exe File opened (read-only) \??\J: e5775dc.exe File opened (read-only) \??\K: e5775dc.exe File opened (read-only) \??\E: e57a901.exe -
resource yara_rule behavioral2/memory/1952-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-26-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-27-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-28-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-42-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-53-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-54-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-57-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-59-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-60-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-62-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1952-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3704-98-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3704-89-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3704-97-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3704-93-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3704-92-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3704-137-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e5775dc.exe File created C:\Windows\e57d06f e57a901.exe File created C:\Windows\e577639 e5775dc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577705.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a901.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5775dc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1952 e5775dc.exe 1952 e5775dc.exe 1952 e5775dc.exe 1952 e5775dc.exe 3704 e57a901.exe 3704 e57a901.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe Token: SeDebugPrivilege 1952 e5775dc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 3164 4552 rundll32.exe 83 PID 4552 wrote to memory of 3164 4552 rundll32.exe 83 PID 4552 wrote to memory of 3164 4552 rundll32.exe 83 PID 3164 wrote to memory of 1952 3164 rundll32.exe 84 PID 3164 wrote to memory of 1952 3164 rundll32.exe 84 PID 3164 wrote to memory of 1952 3164 rundll32.exe 84 PID 1952 wrote to memory of 764 1952 e5775dc.exe 8 PID 1952 wrote to memory of 772 1952 e5775dc.exe 9 PID 1952 wrote to memory of 316 1952 e5775dc.exe 13 PID 1952 wrote to memory of 2864 1952 e5775dc.exe 50 PID 1952 wrote to memory of 3076 1952 e5775dc.exe 51 PID 1952 wrote to memory of 3228 1952 e5775dc.exe 53 PID 1952 wrote to memory of 3520 1952 e5775dc.exe 56 PID 1952 wrote to memory of 3648 1952 e5775dc.exe 57 PID 1952 wrote to memory of 3836 1952 e5775dc.exe 58 PID 1952 wrote to memory of 3948 1952 e5775dc.exe 59 PID 1952 wrote to memory of 4052 1952 e5775dc.exe 60 PID 1952 wrote to memory of 3752 1952 e5775dc.exe 61 PID 1952 wrote to memory of 4164 1952 e5775dc.exe 62 PID 1952 wrote to memory of 652 1952 e5775dc.exe 74 PID 1952 wrote to memory of 5024 1952 e5775dc.exe 76 PID 1952 wrote to memory of 536 1952 e5775dc.exe 81 PID 1952 wrote to memory of 4552 1952 e5775dc.exe 82 PID 1952 wrote to memory of 3164 1952 e5775dc.exe 83 PID 1952 wrote to memory of 3164 1952 e5775dc.exe 83 PID 3164 wrote to memory of 1724 3164 rundll32.exe 85 PID 3164 wrote to memory of 1724 3164 rundll32.exe 85 PID 3164 wrote to memory of 1724 3164 rundll32.exe 85 PID 1952 wrote to memory of 764 1952 e5775dc.exe 8 PID 1952 wrote to memory of 772 1952 e5775dc.exe 9 PID 1952 wrote to memory of 316 1952 e5775dc.exe 13 PID 1952 wrote to memory of 2864 1952 e5775dc.exe 50 PID 1952 wrote to memory of 3076 1952 e5775dc.exe 51 PID 1952 wrote to memory of 3228 1952 e5775dc.exe 53 PID 1952 wrote to memory of 3520 1952 e5775dc.exe 56 PID 1952 wrote to memory of 3648 1952 e5775dc.exe 57 PID 1952 wrote to memory of 3836 1952 e5775dc.exe 58 PID 1952 wrote to memory of 3948 1952 e5775dc.exe 59 PID 1952 wrote to memory of 4052 1952 e5775dc.exe 60 PID 1952 wrote to memory of 3752 1952 e5775dc.exe 61 PID 1952 wrote to memory of 4164 1952 e5775dc.exe 62 PID 1952 wrote to memory of 652 1952 e5775dc.exe 74 PID 1952 wrote to memory of 5024 1952 e5775dc.exe 76 PID 1952 wrote to memory of 536 1952 e5775dc.exe 81 PID 1952 wrote to memory of 4552 1952 e5775dc.exe 82 PID 1952 wrote to memory of 1724 1952 e5775dc.exe 85 PID 1952 wrote to memory of 1724 1952 e5775dc.exe 85 PID 3164 wrote to memory of 3704 3164 rundll32.exe 86 PID 3164 wrote to memory of 3704 3164 rundll32.exe 86 PID 3164 wrote to memory of 3704 3164 rundll32.exe 86 PID 3704 wrote to memory of 764 3704 e57a901.exe 8 PID 3704 wrote to memory of 772 3704 e57a901.exe 9 PID 3704 wrote to memory of 316 3704 e57a901.exe 13 PID 3704 wrote to memory of 2864 3704 e57a901.exe 50 PID 3704 wrote to memory of 3076 3704 e57a901.exe 51 PID 3704 wrote to memory of 3228 3704 e57a901.exe 53 PID 3704 wrote to memory of 3520 3704 e57a901.exe 56 PID 3704 wrote to memory of 3648 3704 e57a901.exe 57 PID 3704 wrote to memory of 3836 3704 e57a901.exe 58 PID 3704 wrote to memory of 3948 3704 e57a901.exe 59 PID 3704 wrote to memory of 4052 3704 e57a901.exe 60 PID 3704 wrote to memory of 3752 3704 e57a901.exe 61 PID 3704 wrote to memory of 4164 3704 e57a901.exe 62 PID 3704 wrote to memory of 652 3704 e57a901.exe 74 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5775dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a901.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3076
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3228
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eec132b75875bb6fa9c3f8d9d27eb7165f9d927be8bbb038654b78b68479adceN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eec132b75875bb6fa9c3f8d9d27eb7165f9d927be8bbb038654b78b68479adceN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\e5775dc.exeC:\Users\Admin\AppData\Local\Temp\e5775dc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\e577705.exeC:\Users\Admin\AppData\Local\Temp\e577705.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\e57a901.exeC:\Users\Admin\AppData\Local\Temp\e57a901.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3704
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3836
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4052
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3752
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4164
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5024
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:536
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e3cc3480a24260c512bafde2f4efbe9d
SHA16a49a2da0078a35f29e85badf58c6bb53f3965df
SHA25679c7403ee0ea2cb5abda04f0683b7fcd51ab8e9f9bf3dff5213c1ad7c05e195f
SHA512ac091370807b01c3ecba02cd49d51a931621c2dc64a841942f4665c371ea8119af2459b20b3ed7e56c3e51cfbc54d3e93c560cd9aac59b4124343709b846b81c
-
Filesize
257B
MD587b949447ac4db8810c60ce4d678dcd6
SHA17436ecb0e1127b2db0d1d708ce2198a0eea50f0f
SHA2562fb4ea0fb571e9b51c3983c5a088ae3edc5fe5459b4dfd05f280eaee67ac525f
SHA51270446d07b9fe14c62fa8a7fc5bf2a14c5f40dfe910e014d4bddaf2c78947054c2e21fc6875cc344ab66afc8cbc7ee89a50710f8887e48123b5b338410b7819a5