Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 08:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3619e1f8e33018161a7c34ab7988bb28eb7f353381edc531b3a9232fcc207d31.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3619e1f8e33018161a7c34ab7988bb28eb7f353381edc531b3a9232fcc207d31.dll
-
Size
120KB
-
MD5
90b47eba502c1b8afee365bd04a70aa1
-
SHA1
4bd43464e18a6bfdcf5711188bc8b517d748ab34
-
SHA256
3619e1f8e33018161a7c34ab7988bb28eb7f353381edc531b3a9232fcc207d31
-
SHA512
eec24c018e65729eb36ea1a58f0a582ec7c203d6b411ef91e05e2a96241053dbd26e2c6087df612f9a801f3bcfe50ab1b8402f284f97acbac1101b5abad7674d
-
SSDEEP
3072:rhVihrNh3l/uOBUloF/iyCFSwTPFixJfeihh/Gbe:rTIll/u+U0i7FFMJXhhZ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a028.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a028.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a028.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a028.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579d2a.exe -
Executes dropped EXE 3 IoCs
pid Process 2980 e579d2a.exe 2476 e57a028.exe 4476 e57c2a4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a028.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579d2a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a028.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a028.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: e579d2a.exe File opened (read-only) \??\E: e579d2a.exe File opened (read-only) \??\G: e579d2a.exe File opened (read-only) \??\H: e579d2a.exe File opened (read-only) \??\I: e579d2a.exe File opened (read-only) \??\J: e579d2a.exe File opened (read-only) \??\K: e579d2a.exe File opened (read-only) \??\L: e579d2a.exe -
resource yara_rule behavioral2/memory/2980-9-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-10-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-8-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-6-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-14-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-18-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-19-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-21-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-20-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-11-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-36-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-37-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-38-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-39-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-40-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-56-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-59-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-62-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-64-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-66-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-67-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-68-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-72-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2980-74-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/2476-100-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/2476-131-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579d98 e579d2a.exe File opened for modification C:\Windows\SYSTEM.INI e579d2a.exe File created C:\Windows\e57eef4 e57a028.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579d2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c2a4.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2980 e579d2a.exe 2980 e579d2a.exe 2980 e579d2a.exe 2980 e579d2a.exe 2476 e57a028.exe 2476 e57a028.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe Token: SeDebugPrivilege 2980 e579d2a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 4668 2920 rundll32.exe 83 PID 2920 wrote to memory of 4668 2920 rundll32.exe 83 PID 2920 wrote to memory of 4668 2920 rundll32.exe 83 PID 4668 wrote to memory of 2980 4668 rundll32.exe 84 PID 4668 wrote to memory of 2980 4668 rundll32.exe 84 PID 4668 wrote to memory of 2980 4668 rundll32.exe 84 PID 2980 wrote to memory of 768 2980 e579d2a.exe 8 PID 2980 wrote to memory of 772 2980 e579d2a.exe 9 PID 2980 wrote to memory of 392 2980 e579d2a.exe 13 PID 2980 wrote to memory of 2656 2980 e579d2a.exe 44 PID 2980 wrote to memory of 2664 2980 e579d2a.exe 45 PID 2980 wrote to memory of 2828 2980 e579d2a.exe 49 PID 2980 wrote to memory of 3460 2980 e579d2a.exe 55 PID 2980 wrote to memory of 3640 2980 e579d2a.exe 57 PID 2980 wrote to memory of 3824 2980 e579d2a.exe 58 PID 2980 wrote to memory of 3920 2980 e579d2a.exe 59 PID 2980 wrote to memory of 3996 2980 e579d2a.exe 60 PID 2980 wrote to memory of 4076 2980 e579d2a.exe 61 PID 2980 wrote to memory of 4116 2980 e579d2a.exe 62 PID 2980 wrote to memory of 2076 2980 e579d2a.exe 64 PID 2980 wrote to memory of 1388 2980 e579d2a.exe 76 PID 2980 wrote to memory of 5080 2980 e579d2a.exe 81 PID 2980 wrote to memory of 2920 2980 e579d2a.exe 82 PID 2980 wrote to memory of 4668 2980 e579d2a.exe 83 PID 2980 wrote to memory of 4668 2980 e579d2a.exe 83 PID 4668 wrote to memory of 2476 4668 rundll32.exe 85 PID 4668 wrote to memory of 2476 4668 rundll32.exe 85 PID 4668 wrote to memory of 2476 4668 rundll32.exe 85 PID 4668 wrote to memory of 4476 4668 rundll32.exe 86 PID 4668 wrote to memory of 4476 4668 rundll32.exe 86 PID 4668 wrote to memory of 4476 4668 rundll32.exe 86 PID 2980 wrote to memory of 768 2980 e579d2a.exe 8 PID 2980 wrote to memory of 772 2980 e579d2a.exe 9 PID 2980 wrote to memory of 392 2980 e579d2a.exe 13 PID 2980 wrote to memory of 2656 2980 e579d2a.exe 44 PID 2980 wrote to memory of 2664 2980 e579d2a.exe 45 PID 2980 wrote to memory of 2828 2980 e579d2a.exe 49 PID 2980 wrote to memory of 3460 2980 e579d2a.exe 55 PID 2980 wrote to memory of 3640 2980 e579d2a.exe 57 PID 2980 wrote to memory of 3824 2980 e579d2a.exe 58 PID 2980 wrote to memory of 3920 2980 e579d2a.exe 59 PID 2980 wrote to memory of 3996 2980 e579d2a.exe 60 PID 2980 wrote to memory of 4076 2980 e579d2a.exe 61 PID 2980 wrote to memory of 4116 2980 e579d2a.exe 62 PID 2980 wrote to memory of 2076 2980 e579d2a.exe 64 PID 2980 wrote to memory of 1388 2980 e579d2a.exe 76 PID 2980 wrote to memory of 5080 2980 e579d2a.exe 81 PID 2980 wrote to memory of 2476 2980 e579d2a.exe 85 PID 2980 wrote to memory of 2476 2980 e579d2a.exe 85 PID 2980 wrote to memory of 4476 2980 e579d2a.exe 86 PID 2980 wrote to memory of 4476 2980 e579d2a.exe 86 PID 2476 wrote to memory of 768 2476 e57a028.exe 8 PID 2476 wrote to memory of 772 2476 e57a028.exe 9 PID 2476 wrote to memory of 392 2476 e57a028.exe 13 PID 2476 wrote to memory of 2656 2476 e57a028.exe 44 PID 2476 wrote to memory of 2664 2476 e57a028.exe 45 PID 2476 wrote to memory of 2828 2476 e57a028.exe 49 PID 2476 wrote to memory of 3460 2476 e57a028.exe 55 PID 2476 wrote to memory of 3640 2476 e57a028.exe 57 PID 2476 wrote to memory of 3824 2476 e57a028.exe 58 PID 2476 wrote to memory of 3920 2476 e57a028.exe 59 PID 2476 wrote to memory of 3996 2476 e57a028.exe 60 PID 2476 wrote to memory of 4076 2476 e57a028.exe 61 PID 2476 wrote to memory of 4116 2476 e57a028.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d2a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:392
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2828
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3619e1f8e33018161a7c34ab7988bb28eb7f353381edc531b3a9232fcc207d31.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3619e1f8e33018161a7c34ab7988bb28eb7f353381edc531b3a9232fcc207d31.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\e579d2a.exeC:\Users\Admin\AppData\Local\Temp\e579d2a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\e57a028.exeC:\Users\Admin\AppData\Local\Temp\e57a028.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\e57c2a4.exeC:\Users\Admin\AppData\Local\Temp\e57c2a4.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2076
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1388
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5080
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5691b7eb8a57178d7b59cefa2b5c2e8ef
SHA144bc1dfe9d299222f941dd624931654a29f12a17
SHA256c0d28389550d827c08c5b63a8232a39b2d506e867dd3054797d7f35be5f41796
SHA51264a256c47325db9b401b90e89d85369c623603fbe674078f1dc77ebdca9d307ef3e574db7687c4e2d21b6ce99d91cf89e09ddcc3929229985e732a2c7f75ffa4
-
Filesize
257B
MD59dcedd8e6dfd8eb7797e241a99304cf1
SHA11766e2ffdd62e33697be679ac00c7a76732e0e5d
SHA2560104608e00cd9fefe8bd3298b45fcb397feff7bd7355ba8b4763b42389bbfee1
SHA512563b68f628056aa555a0a95b33f79871266f02e0762a2768f8acf1cfb349e70a9ee01cdbeaf0b5d57a07bd6ecf94874262a0574fa0110d58fa2264fee1424606