Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b54df043db12c340639ed6b51537bc57f2e7dd9ee9f48322cd228351063bdf71.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
b54df043db12c340639ed6b51537bc57f2e7dd9ee9f48322cd228351063bdf71.dll
-
Size
120KB
-
MD5
f26bb03801443d31d60689ef0deab95d
-
SHA1
45a619b307e356cfeee1fedd63ad1ecab79b8dec
-
SHA256
b54df043db12c340639ed6b51537bc57f2e7dd9ee9f48322cd228351063bdf71
-
SHA512
51cf2d6692f207152ec1fdd055493f04ada8e130a68eedb9bc078997728c4a8f8bc381797ee21b06a56c7c87a05e6fd4b78ab7d4c05dcc1e697d4f7ed8861b77
-
SSDEEP
3072:bxrqZzLskmmOzCf1Pnn4khqb7yih1AHhjJGDxJ:bxrq316nxADG3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bb32.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f29d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb32.exe -
Executes dropped EXE 3 IoCs
pid Process 5068 e57bb32.exe 4372 e57bc99.exe 4008 e57f29d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f29d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f29d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f29d.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57f29d.exe File opened (read-only) \??\E: e57bb32.exe File opened (read-only) \??\G: e57bb32.exe File opened (read-only) \??\H: e57bb32.exe File opened (read-only) \??\I: e57bb32.exe File opened (read-only) \??\J: e57bb32.exe -
resource yara_rule behavioral2/memory/5068-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-13-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-19-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-34-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-27-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-18-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-35-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-43-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-42-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-53-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-54-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-56-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-59-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-60-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5068-64-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4008-92-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4008-91-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4008-90-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4008-89-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4008-100-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4008-88-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4008-86-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4008-128-0x0000000000810000-0x00000000018CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57bbde e57bb32.exe File opened for modification C:\Windows\SYSTEM.INI e57bb32.exe File created C:\Windows\e5819ec e57f29d.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bc99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f29d.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5068 e57bb32.exe 5068 e57bb32.exe 5068 e57bb32.exe 5068 e57bb32.exe 4008 e57f29d.exe 4008 e57f29d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe Token: SeDebugPrivilege 5068 e57bb32.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1356 wrote to memory of 2772 1356 rundll32.exe 82 PID 1356 wrote to memory of 2772 1356 rundll32.exe 82 PID 1356 wrote to memory of 2772 1356 rundll32.exe 82 PID 2772 wrote to memory of 5068 2772 rundll32.exe 83 PID 2772 wrote to memory of 5068 2772 rundll32.exe 83 PID 2772 wrote to memory of 5068 2772 rundll32.exe 83 PID 5068 wrote to memory of 788 5068 e57bb32.exe 9 PID 5068 wrote to memory of 796 5068 e57bb32.exe 10 PID 5068 wrote to memory of 384 5068 e57bb32.exe 13 PID 5068 wrote to memory of 2780 5068 e57bb32.exe 47 PID 5068 wrote to memory of 2800 5068 e57bb32.exe 48 PID 5068 wrote to memory of 2204 5068 e57bb32.exe 52 PID 5068 wrote to memory of 3468 5068 e57bb32.exe 56 PID 5068 wrote to memory of 3560 5068 e57bb32.exe 57 PID 5068 wrote to memory of 3768 5068 e57bb32.exe 58 PID 5068 wrote to memory of 3864 5068 e57bb32.exe 59 PID 5068 wrote to memory of 3924 5068 e57bb32.exe 60 PID 5068 wrote to memory of 4052 5068 e57bb32.exe 61 PID 5068 wrote to memory of 4144 5068 e57bb32.exe 62 PID 5068 wrote to memory of 2232 5068 e57bb32.exe 75 PID 5068 wrote to memory of 4448 5068 e57bb32.exe 76 PID 5068 wrote to memory of 1356 5068 e57bb32.exe 81 PID 5068 wrote to memory of 2772 5068 e57bb32.exe 82 PID 5068 wrote to memory of 2772 5068 e57bb32.exe 82 PID 2772 wrote to memory of 4372 2772 rundll32.exe 84 PID 2772 wrote to memory of 4372 2772 rundll32.exe 84 PID 2772 wrote to memory of 4372 2772 rundll32.exe 84 PID 5068 wrote to memory of 788 5068 e57bb32.exe 9 PID 5068 wrote to memory of 796 5068 e57bb32.exe 10 PID 5068 wrote to memory of 384 5068 e57bb32.exe 13 PID 5068 wrote to memory of 2780 5068 e57bb32.exe 47 PID 5068 wrote to memory of 2800 5068 e57bb32.exe 48 PID 5068 wrote to memory of 2204 5068 e57bb32.exe 52 PID 5068 wrote to memory of 3468 5068 e57bb32.exe 56 PID 5068 wrote to memory of 3560 5068 e57bb32.exe 57 PID 5068 wrote to memory of 3768 5068 e57bb32.exe 58 PID 5068 wrote to memory of 3864 5068 e57bb32.exe 59 PID 5068 wrote to memory of 3924 5068 e57bb32.exe 60 PID 5068 wrote to memory of 4052 5068 e57bb32.exe 61 PID 5068 wrote to memory of 4144 5068 e57bb32.exe 62 PID 5068 wrote to memory of 2232 5068 e57bb32.exe 75 PID 5068 wrote to memory of 4448 5068 e57bb32.exe 76 PID 5068 wrote to memory of 1356 5068 e57bb32.exe 81 PID 5068 wrote to memory of 4372 5068 e57bb32.exe 84 PID 5068 wrote to memory of 4372 5068 e57bb32.exe 84 PID 2772 wrote to memory of 4008 2772 rundll32.exe 85 PID 2772 wrote to memory of 4008 2772 rundll32.exe 85 PID 2772 wrote to memory of 4008 2772 rundll32.exe 85 PID 4008 wrote to memory of 788 4008 e57f29d.exe 9 PID 4008 wrote to memory of 796 4008 e57f29d.exe 10 PID 4008 wrote to memory of 384 4008 e57f29d.exe 13 PID 4008 wrote to memory of 2780 4008 e57f29d.exe 47 PID 4008 wrote to memory of 2800 4008 e57f29d.exe 48 PID 4008 wrote to memory of 2204 4008 e57f29d.exe 52 PID 4008 wrote to memory of 3468 4008 e57f29d.exe 56 PID 4008 wrote to memory of 3560 4008 e57f29d.exe 57 PID 4008 wrote to memory of 3768 4008 e57f29d.exe 58 PID 4008 wrote to memory of 3864 4008 e57f29d.exe 59 PID 4008 wrote to memory of 3924 4008 e57f29d.exe 60 PID 4008 wrote to memory of 4052 4008 e57f29d.exe 61 PID 4008 wrote to memory of 4144 4008 e57f29d.exe 62 PID 4008 wrote to memory of 2232 4008 e57f29d.exe 75 PID 4008 wrote to memory of 4448 4008 e57f29d.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f29d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb32.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2800
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2204
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b54df043db12c340639ed6b51537bc57f2e7dd9ee9f48322cd228351063bdf71.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b54df043db12c340639ed6b51537bc57f2e7dd9ee9f48322cd228351063bdf71.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\e57bb32.exeC:\Users\Admin\AppData\Local\Temp\e57bb32.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\e57bc99.exeC:\Users\Admin\AppData\Local\Temp\e57bc99.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\e57f29d.exeC:\Users\Admin\AppData\Local\Temp\e57f29d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4008
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2232
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4448
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD588067442deaaa41519b2e466526871d6
SHA19ae21d76351c3efb609f35a66cbf33b1aaa3e203
SHA25678afcf920506ee1b62d377ffbf6841f26e3f4988b3412a4f9bf726983e427db8
SHA51286ea01cfc605a35284929ddd89ee9027c6a7b0842e50f03f1e05d9a34ddf4a3409eb670fbd2c6184d671f61eb6653ae98e0b24c2e00423cde959cd75b7c3e6aa
-
Filesize
256B
MD53fd0a3c34646fe4fb65aadcb79ebeddc
SHA11fcffe24d91e2aff01819c703a94dd3e0f859af4
SHA2568835ed0110c48831452b944d0d0b442485a3c004314c84b468fd9d8f5304f38d
SHA5128088e4228c80d5d3669098fd7ed644ad8d43ca194b1b1edf9c58d19ca63cc7b2202742cbdc633133fc515fc78871659abccf4c132cf9dd5ca18f46589cb46789