Analysis
-
max time kernel
32s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 11:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2bdb19a27be98f626353e9618ed26bae2c805d4c335ead300abd96c8a5d3a9dN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
e2bdb19a27be98f626353e9618ed26bae2c805d4c335ead300abd96c8a5d3a9dN.dll
-
Size
120KB
-
MD5
4907deebb668f07377538dccb2960540
-
SHA1
ac527d0b305760e524173507f0b682ed7b9f4c0e
-
SHA256
e2bdb19a27be98f626353e9618ed26bae2c805d4c335ead300abd96c8a5d3a9d
-
SHA512
e83e0bae384b275aa065b448b58eefada55b9a3d64e0a0741bcf924badbc840e34fc82055a5964dcc641f05d660bdaa046a757f372d7e028b014af572fd6e449
-
SSDEEP
1536:sq5Y5rq7VIbeGld1MAIio0dZuAvBEp6AGCPCi00advCaYnwKvdxscqcmV9mX78:sq5YtyVPUIQBUGliiYw0DmA
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b110.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b110.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e05d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e05d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b110.exe -
Executes dropped EXE 3 IoCs
pid Process 4876 e57b110.exe 964 e57b258.exe 2800 e57e05d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b110.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b110.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e05d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b110.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e05d.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e57b110.exe File opened (read-only) \??\M: e57b110.exe File opened (read-only) \??\N: e57b110.exe File opened (read-only) \??\E: e57e05d.exe File opened (read-only) \??\E: e57b110.exe File opened (read-only) \??\G: e57b110.exe File opened (read-only) \??\I: e57b110.exe File opened (read-only) \??\K: e57b110.exe File opened (read-only) \??\G: e57e05d.exe File opened (read-only) \??\H: e57e05d.exe File opened (read-only) \??\H: e57b110.exe File opened (read-only) \??\J: e57b110.exe File opened (read-only) \??\I: e57e05d.exe -
resource yara_rule behavioral2/memory/4876-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-17-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-23-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-22-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-30-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-31-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-46-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-54-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-56-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-58-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-59-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-61-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-64-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-65-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-68-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4876-71-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2800-109-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/2800-146-0x0000000000790000-0x000000000184A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b15e e57b110.exe File opened for modification C:\Windows\SYSTEM.INI e57b110.exe File created C:\Windows\e5807fa e57e05d.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e05d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b110.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b258.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4876 e57b110.exe 4876 e57b110.exe 4876 e57b110.exe 4876 e57b110.exe 2800 e57e05d.exe 2800 e57e05d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe Token: SeDebugPrivilege 4876 e57b110.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 2616 5088 rundll32.exe 84 PID 5088 wrote to memory of 2616 5088 rundll32.exe 84 PID 5088 wrote to memory of 2616 5088 rundll32.exe 84 PID 2616 wrote to memory of 4876 2616 rundll32.exe 85 PID 2616 wrote to memory of 4876 2616 rundll32.exe 85 PID 2616 wrote to memory of 4876 2616 rundll32.exe 85 PID 4876 wrote to memory of 784 4876 e57b110.exe 8 PID 4876 wrote to memory of 792 4876 e57b110.exe 9 PID 4876 wrote to memory of 388 4876 e57b110.exe 13 PID 4876 wrote to memory of 696 4876 e57b110.exe 50 PID 4876 wrote to memory of 3092 4876 e57b110.exe 51 PID 4876 wrote to memory of 3132 4876 e57b110.exe 52 PID 4876 wrote to memory of 3452 4876 e57b110.exe 56 PID 4876 wrote to memory of 3572 4876 e57b110.exe 57 PID 4876 wrote to memory of 3768 4876 e57b110.exe 58 PID 4876 wrote to memory of 3892 4876 e57b110.exe 59 PID 4876 wrote to memory of 3984 4876 e57b110.exe 60 PID 4876 wrote to memory of 4076 4876 e57b110.exe 61 PID 4876 wrote to memory of 3856 4876 e57b110.exe 62 PID 4876 wrote to memory of 740 4876 e57b110.exe 64 PID 4876 wrote to memory of 2132 4876 e57b110.exe 74 PID 4876 wrote to memory of 4488 4876 e57b110.exe 77 PID 4876 wrote to memory of 2712 4876 e57b110.exe 82 PID 4876 wrote to memory of 5088 4876 e57b110.exe 83 PID 4876 wrote to memory of 2616 4876 e57b110.exe 84 PID 4876 wrote to memory of 2616 4876 e57b110.exe 84 PID 2616 wrote to memory of 964 2616 rundll32.exe 86 PID 2616 wrote to memory of 964 2616 rundll32.exe 86 PID 2616 wrote to memory of 964 2616 rundll32.exe 86 PID 4876 wrote to memory of 784 4876 e57b110.exe 8 PID 4876 wrote to memory of 792 4876 e57b110.exe 9 PID 4876 wrote to memory of 388 4876 e57b110.exe 13 PID 4876 wrote to memory of 696 4876 e57b110.exe 50 PID 4876 wrote to memory of 3092 4876 e57b110.exe 51 PID 4876 wrote to memory of 3132 4876 e57b110.exe 52 PID 4876 wrote to memory of 3452 4876 e57b110.exe 56 PID 4876 wrote to memory of 3572 4876 e57b110.exe 57 PID 4876 wrote to memory of 3768 4876 e57b110.exe 58 PID 4876 wrote to memory of 3892 4876 e57b110.exe 59 PID 4876 wrote to memory of 3984 4876 e57b110.exe 60 PID 4876 wrote to memory of 4076 4876 e57b110.exe 61 PID 4876 wrote to memory of 3856 4876 e57b110.exe 62 PID 4876 wrote to memory of 740 4876 e57b110.exe 64 PID 4876 wrote to memory of 2132 4876 e57b110.exe 74 PID 4876 wrote to memory of 4488 4876 e57b110.exe 77 PID 4876 wrote to memory of 2712 4876 e57b110.exe 82 PID 4876 wrote to memory of 5088 4876 e57b110.exe 83 PID 4876 wrote to memory of 964 4876 e57b110.exe 86 PID 4876 wrote to memory of 964 4876 e57b110.exe 86 PID 2616 wrote to memory of 2800 2616 rundll32.exe 87 PID 2616 wrote to memory of 2800 2616 rundll32.exe 87 PID 2616 wrote to memory of 2800 2616 rundll32.exe 87 PID 2800 wrote to memory of 784 2800 e57e05d.exe 8 PID 2800 wrote to memory of 792 2800 e57e05d.exe 9 PID 2800 wrote to memory of 388 2800 e57e05d.exe 13 PID 2800 wrote to memory of 696 2800 e57e05d.exe 50 PID 2800 wrote to memory of 3092 2800 e57e05d.exe 51 PID 2800 wrote to memory of 3132 2800 e57e05d.exe 52 PID 2800 wrote to memory of 3452 2800 e57e05d.exe 56 PID 2800 wrote to memory of 3572 2800 e57e05d.exe 57 PID 2800 wrote to memory of 3768 2800 e57e05d.exe 58 PID 2800 wrote to memory of 3892 2800 e57e05d.exe 59 PID 2800 wrote to memory of 3984 2800 e57e05d.exe 60 PID 2800 wrote to memory of 4076 2800 e57e05d.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e05d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3092
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3132
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2bdb19a27be98f626353e9618ed26bae2c805d4c335ead300abd96c8a5d3a9dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2bdb19a27be98f626353e9618ed26bae2c805d4c335ead300abd96c8a5d3a9dN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\e57b110.exeC:\Users\Admin\AppData\Local\Temp\e57b110.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\e57b258.exeC:\Users\Admin\AppData\Local\Temp\e57b258.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\e57e05d.exeC:\Users\Admin\AppData\Local\Temp\e57e05d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:740
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4488
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a31638ea47a3bf3fe663904296a2ea71
SHA1b3493e7b0162f6ca0dccfffc83f8c6c7f5f348b1
SHA25683cea487750d35f032927866c9a9af907107b40b396288271db992f522049284
SHA5127bca7a7b5ae66ab056426261fa5ccd33cf7261282f34ad90029eb4a19c5d062336a04bc4f4e8b53cc0fc45388f796fe28a781611c16ef74d474d6f80ba9656b9
-
Filesize
257B
MD521b9a179f7abecdc394bd49a7c948a55
SHA16b207a69c2aed95e76387187edb31fb7f3059523
SHA256f58080451225f62dfe6700ad70e12289eb4802164a5e2c282c95c4105330442d
SHA512f7e915120ce31b5764c89d1cfcdc4b6477c68ef56cc5d64440c4cca72a9a18d1f31877258e8a8baf5fa45074d1ce2f5ae2c83beb30fe363b36c6831102bbabf1