Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 03:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
910fda128bb27d348608f63cd96b41169184cc275ce457414a501954fd5fd440N.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
910fda128bb27d348608f63cd96b41169184cc275ce457414a501954fd5fd440N.dll
-
Size
120KB
-
MD5
c0448f2d3b431f8ed94d1fb913c83080
-
SHA1
79e70a54dd9c7a16537df305ecbece35675779c6
-
SHA256
910fda128bb27d348608f63cd96b41169184cc275ce457414a501954fd5fd440
-
SHA512
67a3ff1896d819c3dc225e360dbfe37b57adf159e0da30671c2bbe6f995fac1706105a4681476d9f3b291007ce26bd353c53a63b0bcdd39542b3de16ffb3d81d
-
SSDEEP
3072:f3akmxxh/p2AUkIwtlmOsnrbs9pR60eOngo:fkz9hrtYbs9pSOng
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cd72.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cd72.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579c9e.exe -
Executes dropped EXE 3 IoCs
pid Process 4304 e579c9e.exe 3104 e579e43.exe 3048 e57cd72.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cd72.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cd72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579c9e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cd72.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cd72.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57cd72.exe File opened (read-only) \??\E: e579c9e.exe File opened (read-only) \??\G: e579c9e.exe File opened (read-only) \??\H: e579c9e.exe File opened (read-only) \??\I: e579c9e.exe File opened (read-only) \??\J: e579c9e.exe -
resource yara_rule behavioral2/memory/4304-6-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-8-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-11-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-20-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-32-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-29-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-33-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-12-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-10-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-9-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-34-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-35-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-36-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-41-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-42-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-51-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-52-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-53-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-54-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-56-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-57-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4304-60-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3048-91-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3048-89-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3048-88-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3048-84-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3048-90-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3048-86-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3048-87-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3048-128-0x0000000000760000-0x000000000181A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579d2a e579c9e.exe File opened for modification C:\Windows\SYSTEM.INI e579c9e.exe File created C:\Windows\e57f4d0 e57cd72.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579c9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579e43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cd72.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4304 e579c9e.exe 4304 e579c9e.exe 4304 e579c9e.exe 4304 e579c9e.exe 3048 e57cd72.exe 3048 e57cd72.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe Token: SeDebugPrivilege 4304 e579c9e.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3968 wrote to memory of 4704 3968 rundll32.exe 82 PID 3968 wrote to memory of 4704 3968 rundll32.exe 82 PID 3968 wrote to memory of 4704 3968 rundll32.exe 82 PID 4704 wrote to memory of 4304 4704 rundll32.exe 83 PID 4704 wrote to memory of 4304 4704 rundll32.exe 83 PID 4704 wrote to memory of 4304 4704 rundll32.exe 83 PID 4304 wrote to memory of 776 4304 e579c9e.exe 8 PID 4304 wrote to memory of 780 4304 e579c9e.exe 9 PID 4304 wrote to memory of 336 4304 e579c9e.exe 13 PID 4304 wrote to memory of 2448 4304 e579c9e.exe 42 PID 4304 wrote to memory of 2480 4304 e579c9e.exe 45 PID 4304 wrote to memory of 2780 4304 e579c9e.exe 48 PID 4304 wrote to memory of 3564 4304 e579c9e.exe 56 PID 4304 wrote to memory of 3656 4304 e579c9e.exe 57 PID 4304 wrote to memory of 3860 4304 e579c9e.exe 58 PID 4304 wrote to memory of 3956 4304 e579c9e.exe 59 PID 4304 wrote to memory of 4016 4304 e579c9e.exe 60 PID 4304 wrote to memory of 648 4304 e579c9e.exe 61 PID 4304 wrote to memory of 4200 4304 e579c9e.exe 62 PID 4304 wrote to memory of 1412 4304 e579c9e.exe 75 PID 4304 wrote to memory of 3464 4304 e579c9e.exe 76 PID 4304 wrote to memory of 3968 4304 e579c9e.exe 81 PID 4304 wrote to memory of 4704 4304 e579c9e.exe 82 PID 4304 wrote to memory of 4704 4304 e579c9e.exe 82 PID 4704 wrote to memory of 3104 4704 rundll32.exe 84 PID 4704 wrote to memory of 3104 4704 rundll32.exe 84 PID 4704 wrote to memory of 3104 4704 rundll32.exe 84 PID 4304 wrote to memory of 776 4304 e579c9e.exe 8 PID 4304 wrote to memory of 780 4304 e579c9e.exe 9 PID 4304 wrote to memory of 336 4304 e579c9e.exe 13 PID 4304 wrote to memory of 2448 4304 e579c9e.exe 42 PID 4304 wrote to memory of 2480 4304 e579c9e.exe 45 PID 4304 wrote to memory of 2780 4304 e579c9e.exe 48 PID 4304 wrote to memory of 3564 4304 e579c9e.exe 56 PID 4304 wrote to memory of 3656 4304 e579c9e.exe 57 PID 4304 wrote to memory of 3860 4304 e579c9e.exe 58 PID 4304 wrote to memory of 3956 4304 e579c9e.exe 59 PID 4304 wrote to memory of 4016 4304 e579c9e.exe 60 PID 4304 wrote to memory of 648 4304 e579c9e.exe 61 PID 4304 wrote to memory of 4200 4304 e579c9e.exe 62 PID 4304 wrote to memory of 1412 4304 e579c9e.exe 75 PID 4304 wrote to memory of 3464 4304 e579c9e.exe 76 PID 4304 wrote to memory of 3968 4304 e579c9e.exe 81 PID 4304 wrote to memory of 3104 4304 e579c9e.exe 84 PID 4304 wrote to memory of 3104 4304 e579c9e.exe 84 PID 4704 wrote to memory of 3048 4704 rundll32.exe 85 PID 4704 wrote to memory of 3048 4704 rundll32.exe 85 PID 4704 wrote to memory of 3048 4704 rundll32.exe 85 PID 3048 wrote to memory of 776 3048 e57cd72.exe 8 PID 3048 wrote to memory of 780 3048 e57cd72.exe 9 PID 3048 wrote to memory of 336 3048 e57cd72.exe 13 PID 3048 wrote to memory of 2448 3048 e57cd72.exe 42 PID 3048 wrote to memory of 2480 3048 e57cd72.exe 45 PID 3048 wrote to memory of 2780 3048 e57cd72.exe 48 PID 3048 wrote to memory of 3564 3048 e57cd72.exe 56 PID 3048 wrote to memory of 3656 3048 e57cd72.exe 57 PID 3048 wrote to memory of 3860 3048 e57cd72.exe 58 PID 3048 wrote to memory of 3956 3048 e57cd72.exe 59 PID 3048 wrote to memory of 4016 3048 e57cd72.exe 60 PID 3048 wrote to memory of 648 3048 e57cd72.exe 61 PID 3048 wrote to memory of 4200 3048 e57cd72.exe 62 PID 3048 wrote to memory of 1412 3048 e57cd72.exe 75 PID 3048 wrote to memory of 3464 3048 e57cd72.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579c9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cd72.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2480
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2780
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3564
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\910fda128bb27d348608f63cd96b41169184cc275ce457414a501954fd5fd440N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\910fda128bb27d348608f63cd96b41169184cc275ce457414a501954fd5fd440N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\e579c9e.exeC:\Users\Admin\AppData\Local\Temp\e579c9e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\e579e43.exeC:\Users\Admin\AppData\Local\Temp\e579e43.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\e57cd72.exeC:\Users\Admin\AppData\Local\Temp\e57cd72.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3860
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:648
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4200
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1412
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3464
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5be8483eae89723d702bfb6a4e21e2a5d
SHA1cb479a6c150f608114f599b27b8ff0814302adc7
SHA2564aa055087758013f1cfe826188a0cd031546302f82072b64f09a6dce534e527d
SHA51236ade936f7925c8d27d3f54a5c11ac3ca20377929587e35beb88e0ccc0ca5d213d74574e892eeea2dd17da479af6e6e523b51bf68495f9b7d37f82db5945d093
-
Filesize
257B
MD522d3b15b70652ee497e418c045aff8b1
SHA1c2b8877f104dee18a99c309cb679e416a84d6a09
SHA256d894c9b0df41de85284a47a8e327de1e21bbb6b8d651c957fc72e7058376a368
SHA5123f2fad1b66c077968f2e53e7e27f76b6307e87cb5041a2fb5188687592203c3f2f27e0d2d94594e350be4d5c6a7e74330c3fc85ce52e396d524c4a9c048da0e7