Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 09:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ceef912bd51a33e4659570652c8dd56f911a026d66baa177277c62a055116814N.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
ceef912bd51a33e4659570652c8dd56f911a026d66baa177277c62a055116814N.dll
-
Size
120KB
-
MD5
f23de772679b8c1c722f9ed984c93bc0
-
SHA1
1f0963be67b0a89ff94bb6e7422602a43a7cb0ea
-
SHA256
ceef912bd51a33e4659570652c8dd56f911a026d66baa177277c62a055116814
-
SHA512
a26eb47912aea4591870193411e2eb0ea2b906211910b68a475714ab2ebb3df61d0026748769ef6e95af7444e180da91991e44316dc4c28656bf3afda29515ab
-
SSDEEP
1536:Wx3JhohEf7DPl8wPrlKif5+4ZCB5KPJnMWQ6tNqgdzWRp1MkZjpqeE1fJYM:Q5ZfPPl8MZKCZCyPJn1XfgpVW
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577280.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577280.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b45c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b45c.exe -
Executes dropped EXE 4 IoCs
pid Process 1940 e577280.exe 2880 e5773c8.exe 3184 e57b45c.exe 5072 e57b4b9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b45c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577280.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577280.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b45c.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e577280.exe File opened (read-only) \??\I: e577280.exe File opened (read-only) \??\E: e57b45c.exe File opened (read-only) \??\G: e57b45c.exe File opened (read-only) \??\E: e577280.exe File opened (read-only) \??\G: e577280.exe -
resource yara_rule behavioral2/memory/1940-12-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-13-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-26-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-32-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-33-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-41-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-42-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-43-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-46-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-58-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-60-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-62-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1940-64-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3184-92-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3184-90-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3184-93-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3184-89-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3184-96-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3184-95-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3184-91-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3184-141-0x00000000007E0000-0x000000000189A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5772de e577280.exe File opened for modification C:\Windows\SYSTEM.INI e577280.exe File created C:\Windows\e57dc08 e57b45c.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5773c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b45c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b4b9.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1940 e577280.exe 1940 e577280.exe 1940 e577280.exe 1940 e577280.exe 3184 e57b45c.exe 3184 e57b45c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe Token: SeDebugPrivilege 1940 e577280.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 440 wrote to memory of 3216 440 rundll32.exe 82 PID 440 wrote to memory of 3216 440 rundll32.exe 82 PID 440 wrote to memory of 3216 440 rundll32.exe 82 PID 3216 wrote to memory of 1940 3216 rundll32.exe 83 PID 3216 wrote to memory of 1940 3216 rundll32.exe 83 PID 3216 wrote to memory of 1940 3216 rundll32.exe 83 PID 1940 wrote to memory of 800 1940 e577280.exe 9 PID 1940 wrote to memory of 808 1940 e577280.exe 10 PID 1940 wrote to memory of 412 1940 e577280.exe 13 PID 1940 wrote to memory of 2540 1940 e577280.exe 42 PID 1940 wrote to memory of 2572 1940 e577280.exe 43 PID 1940 wrote to memory of 2836 1940 e577280.exe 49 PID 1940 wrote to memory of 3448 1940 e577280.exe 56 PID 1940 wrote to memory of 3608 1940 e577280.exe 57 PID 1940 wrote to memory of 3792 1940 e577280.exe 58 PID 1940 wrote to memory of 3884 1940 e577280.exe 59 PID 1940 wrote to memory of 3948 1940 e577280.exe 60 PID 1940 wrote to memory of 4036 1940 e577280.exe 61 PID 1940 wrote to memory of 3068 1940 e577280.exe 74 PID 1940 wrote to memory of 3628 1940 e577280.exe 76 PID 1940 wrote to memory of 440 1940 e577280.exe 81 PID 1940 wrote to memory of 3216 1940 e577280.exe 82 PID 1940 wrote to memory of 3216 1940 e577280.exe 82 PID 3216 wrote to memory of 2880 3216 rundll32.exe 84 PID 3216 wrote to memory of 2880 3216 rundll32.exe 84 PID 3216 wrote to memory of 2880 3216 rundll32.exe 84 PID 1940 wrote to memory of 800 1940 e577280.exe 9 PID 1940 wrote to memory of 808 1940 e577280.exe 10 PID 1940 wrote to memory of 412 1940 e577280.exe 13 PID 1940 wrote to memory of 2540 1940 e577280.exe 42 PID 1940 wrote to memory of 2572 1940 e577280.exe 43 PID 1940 wrote to memory of 2836 1940 e577280.exe 49 PID 1940 wrote to memory of 3448 1940 e577280.exe 56 PID 1940 wrote to memory of 3608 1940 e577280.exe 57 PID 1940 wrote to memory of 3792 1940 e577280.exe 58 PID 1940 wrote to memory of 3884 1940 e577280.exe 59 PID 1940 wrote to memory of 3948 1940 e577280.exe 60 PID 1940 wrote to memory of 4036 1940 e577280.exe 61 PID 1940 wrote to memory of 3068 1940 e577280.exe 74 PID 1940 wrote to memory of 3628 1940 e577280.exe 76 PID 1940 wrote to memory of 440 1940 e577280.exe 81 PID 1940 wrote to memory of 2880 1940 e577280.exe 84 PID 1940 wrote to memory of 2880 1940 e577280.exe 84 PID 3216 wrote to memory of 3184 3216 rundll32.exe 89 PID 3216 wrote to memory of 3184 3216 rundll32.exe 89 PID 3216 wrote to memory of 3184 3216 rundll32.exe 89 PID 3216 wrote to memory of 5072 3216 rundll32.exe 90 PID 3216 wrote to memory of 5072 3216 rundll32.exe 90 PID 3216 wrote to memory of 5072 3216 rundll32.exe 90 PID 3184 wrote to memory of 800 3184 e57b45c.exe 9 PID 3184 wrote to memory of 808 3184 e57b45c.exe 10 PID 3184 wrote to memory of 412 3184 e57b45c.exe 13 PID 3184 wrote to memory of 2540 3184 e57b45c.exe 42 PID 3184 wrote to memory of 2572 3184 e57b45c.exe 43 PID 3184 wrote to memory of 2836 3184 e57b45c.exe 49 PID 3184 wrote to memory of 3448 3184 e57b45c.exe 56 PID 3184 wrote to memory of 3608 3184 e57b45c.exe 57 PID 3184 wrote to memory of 3792 3184 e57b45c.exe 58 PID 3184 wrote to memory of 3884 3184 e57b45c.exe 59 PID 3184 wrote to memory of 3948 3184 e57b45c.exe 60 PID 3184 wrote to memory of 4036 3184 e57b45c.exe 61 PID 3184 wrote to memory of 3068 3184 e57b45c.exe 74 PID 3184 wrote to memory of 3628 3184 e57b45c.exe 76 PID 3184 wrote to memory of 5072 3184 e57b45c.exe 90 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577280.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b45c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:412
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2836
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceef912bd51a33e4659570652c8dd56f911a026d66baa177277c62a055116814N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceef912bd51a33e4659570652c8dd56f911a026d66baa177277c62a055116814N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\e577280.exeC:\Users\Admin\AppData\Local\Temp\e577280.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\e5773c8.exeC:\Users\Admin\AppData\Local\Temp\e5773c8.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\e57b45c.exeC:\Users\Admin\AppData\Local\Temp\e57b45c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\e57b4b9.exeC:\Users\Admin\AppData\Local\Temp\e57b4b9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3628
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5982a7307358b46a3cfdf3e0bd4cbdc21
SHA1593f2c4a6127bdfcb183e60ca327b3e6a6716470
SHA2560ce404ca683b71242117321b6dd67e294dcffad38cdbc79ec0aafae9f5e9f1e0
SHA512a316a854cfcf71939459297869bb7638cc9b780820c804b84e94d0e5102f913d5e884de5bce311601a4a332cabfac2f1a80772771a861c7b3dc83d627eadadd9
-
Filesize
257B
MD5299711b163c803020c5b3b612b9715a6
SHA18ee06cceff6103f6ecca9a1659db1d9ff6715690
SHA256196e700cdb5299dd7285bf81d7b146b19556d8024b4ce4e47a046b1be0c4829c
SHA5120097d365d31e42096bc7a9e73d4b7f47016a6089cb8fe1e41a40a80207fc46e9e4826c0299473bb77724ad4706f55fd738a62580e701c964714843a2e4528cb8