Analysis
-
max time kernel
30s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:22
Static task
static1
Behavioral task
behavioral1
Sample
5ad27176608dae8e7b2833f8fc41b1051f532996dbfbf1c838910e7d38c04eacN.dll
Resource
win7-20240708-en
General
-
Target
5ad27176608dae8e7b2833f8fc41b1051f532996dbfbf1c838910e7d38c04eacN.dll
-
Size
120KB
-
MD5
b60ecec4e897b588d82f0f6979731480
-
SHA1
51e13f7ea436c940d5ca5808da4cffaaee9aa664
-
SHA256
5ad27176608dae8e7b2833f8fc41b1051f532996dbfbf1c838910e7d38c04eac
-
SHA512
3cf83f9406760f8a3fd12ec6908600d73197a057e72c764cb267c74454a1392d35c0100f6c4023fe4894a6261dadf95c2c648fd6a7f3cc8eec67c89919e74662
-
SSDEEP
3072:Ho+CyN4Xnld4YwjcNi+g4dzAm8Ws4Py7+1:7Cyanld4HGPJdznjDPy0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a856.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a856.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d12b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d12b.exe -
Executes dropped EXE 3 IoCs
pid Process 1956 e57a856.exe 4900 e57a9ad.exe 2036 e57d12b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a856.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d12b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d12b.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57d12b.exe File opened (read-only) \??\I: e57d12b.exe File opened (read-only) \??\E: e57a856.exe File opened (read-only) \??\G: e57a856.exe File opened (read-only) \??\H: e57a856.exe File opened (read-only) \??\L: e57a856.exe File opened (read-only) \??\M: e57a856.exe File opened (read-only) \??\N: e57a856.exe File opened (read-only) \??\I: e57a856.exe File opened (read-only) \??\J: e57a856.exe File opened (read-only) \??\K: e57a856.exe File opened (read-only) \??\E: e57d12b.exe File opened (read-only) \??\G: e57d12b.exe -
resource yara_rule behavioral2/memory/1956-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-26-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-32-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-12-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-11-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-22-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-34-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-39-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-40-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-58-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-60-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-61-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-62-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-64-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-66-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-69-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-70-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-72-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1956-76-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2036-116-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/2036-150-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a8a4 e57a856.exe File opened for modification C:\Windows\SYSTEM.INI e57a856.exe File created C:\Windows\e57f8d7 e57d12b.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a9ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d12b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a856.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1956 e57a856.exe 1956 e57a856.exe 1956 e57a856.exe 1956 e57a856.exe 2036 e57d12b.exe 2036 e57d12b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe Token: SeDebugPrivilege 1956 e57a856.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 400 wrote to memory of 3088 400 rundll32.exe 83 PID 400 wrote to memory of 3088 400 rundll32.exe 83 PID 400 wrote to memory of 3088 400 rundll32.exe 83 PID 3088 wrote to memory of 1956 3088 rundll32.exe 84 PID 3088 wrote to memory of 1956 3088 rundll32.exe 84 PID 3088 wrote to memory of 1956 3088 rundll32.exe 84 PID 1956 wrote to memory of 788 1956 e57a856.exe 9 PID 1956 wrote to memory of 796 1956 e57a856.exe 10 PID 1956 wrote to memory of 64 1956 e57a856.exe 13 PID 1956 wrote to memory of 2660 1956 e57a856.exe 44 PID 1956 wrote to memory of 2680 1956 e57a856.exe 45 PID 1956 wrote to memory of 2884 1956 e57a856.exe 51 PID 1956 wrote to memory of 3448 1956 e57a856.exe 56 PID 1956 wrote to memory of 3556 1956 e57a856.exe 57 PID 1956 wrote to memory of 3740 1956 e57a856.exe 58 PID 1956 wrote to memory of 3832 1956 e57a856.exe 59 PID 1956 wrote to memory of 3896 1956 e57a856.exe 60 PID 1956 wrote to memory of 3988 1956 e57a856.exe 61 PID 1956 wrote to memory of 1820 1956 e57a856.exe 62 PID 1956 wrote to memory of 5064 1956 e57a856.exe 75 PID 1956 wrote to memory of 1328 1956 e57a856.exe 76 PID 1956 wrote to memory of 2132 1956 e57a856.exe 81 PID 1956 wrote to memory of 400 1956 e57a856.exe 82 PID 1956 wrote to memory of 3088 1956 e57a856.exe 83 PID 1956 wrote to memory of 3088 1956 e57a856.exe 83 PID 3088 wrote to memory of 4900 3088 rundll32.exe 85 PID 3088 wrote to memory of 4900 3088 rundll32.exe 85 PID 3088 wrote to memory of 4900 3088 rundll32.exe 85 PID 3088 wrote to memory of 2036 3088 rundll32.exe 86 PID 3088 wrote to memory of 2036 3088 rundll32.exe 86 PID 3088 wrote to memory of 2036 3088 rundll32.exe 86 PID 1956 wrote to memory of 788 1956 e57a856.exe 9 PID 1956 wrote to memory of 796 1956 e57a856.exe 10 PID 1956 wrote to memory of 64 1956 e57a856.exe 13 PID 1956 wrote to memory of 2660 1956 e57a856.exe 44 PID 1956 wrote to memory of 2680 1956 e57a856.exe 45 PID 1956 wrote to memory of 2884 1956 e57a856.exe 51 PID 1956 wrote to memory of 3448 1956 e57a856.exe 56 PID 1956 wrote to memory of 3556 1956 e57a856.exe 57 PID 1956 wrote to memory of 3740 1956 e57a856.exe 58 PID 1956 wrote to memory of 3832 1956 e57a856.exe 59 PID 1956 wrote to memory of 3896 1956 e57a856.exe 60 PID 1956 wrote to memory of 3988 1956 e57a856.exe 61 PID 1956 wrote to memory of 1820 1956 e57a856.exe 62 PID 1956 wrote to memory of 5064 1956 e57a856.exe 75 PID 1956 wrote to memory of 1328 1956 e57a856.exe 76 PID 1956 wrote to memory of 2132 1956 e57a856.exe 81 PID 1956 wrote to memory of 400 1956 e57a856.exe 82 PID 1956 wrote to memory of 4900 1956 e57a856.exe 85 PID 1956 wrote to memory of 4900 1956 e57a856.exe 85 PID 1956 wrote to memory of 2036 1956 e57a856.exe 86 PID 1956 wrote to memory of 2036 1956 e57a856.exe 86 PID 2036 wrote to memory of 788 2036 e57d12b.exe 9 PID 2036 wrote to memory of 796 2036 e57d12b.exe 10 PID 2036 wrote to memory of 64 2036 e57d12b.exe 13 PID 2036 wrote to memory of 2660 2036 e57d12b.exe 44 PID 2036 wrote to memory of 2680 2036 e57d12b.exe 45 PID 2036 wrote to memory of 2884 2036 e57d12b.exe 51 PID 2036 wrote to memory of 3448 2036 e57d12b.exe 56 PID 2036 wrote to memory of 3556 2036 e57d12b.exe 57 PID 2036 wrote to memory of 3740 2036 e57d12b.exe 58 PID 2036 wrote to memory of 3832 2036 e57d12b.exe 59 PID 2036 wrote to memory of 3896 2036 e57d12b.exe 60 PID 2036 wrote to memory of 3988 2036 e57d12b.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d12b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2884
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ad27176608dae8e7b2833f8fc41b1051f532996dbfbf1c838910e7d38c04eacN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ad27176608dae8e7b2833f8fc41b1051f532996dbfbf1c838910e7d38c04eacN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\e57a856.exeC:\Users\Admin\AppData\Local\Temp\e57a856.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\e57a9ad.exeC:\Users\Admin\AppData\Local\Temp\e57a9ad.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\e57d12b.exeC:\Users\Admin\AppData\Local\Temp\e57d12b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2036
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1820
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1328
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2132
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59f6dc47fa19382690d19ed8a359696f1
SHA10a673df77cb1219e5372db041ddcf9fafe31328a
SHA256bc2793599caa0e6703b7370c3508de4543ef98e7581be1ed55acd4731ab59148
SHA51283c673802c192a7866faef2e077fa1b85bde25429a0efc9df48471bf0431617b0c24a03f11574c012dc83e5ab145ea86dad736439324724dc7a9a3a002b8c450
-
Filesize
257B
MD512dc71a97a4cad62415051713e54b03d
SHA13daca990adc2c2b0b01093707a19e8b2494044b6
SHA25642fce4f2b70e20676e8f0bee404e7bdb5c719d14f9e264e1f7a3a021cc73d79b
SHA5122cd4d33b8b86ca89268aa88f89f92cd131d6767ab314950e672e63cbf39909f20efb777eda0d8b8d59139353c7337e66e9866fb29c2cf1ea20f5a1eeeb015c14