Analysis
-
max time kernel
31s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 10:47
Static task
static1
Behavioral task
behavioral1
Sample
27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll
Resource
win7-20240903-en
General
-
Target
27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll
-
Size
120KB
-
MD5
fc800e7af06a725d097500a38222d720
-
SHA1
6560b6b99711b8fb0c87dc3ad0c7f47ea1a7ce0b
-
SHA256
27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5
-
SHA512
32d88e7cfa180507fbc23293a129163626421f92903afbdef3f8225dc3f47b19df85d3fa8bf04aa527fbddc253d93e9067b5aff742a29133ace927ee11c3216c
-
SSDEEP
3072:+XK5GMYqO3NT0aEO4eXXBQdzmKcuiYsqJ3frne:+0/uV3nXMZcuLV3frn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579645.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579645.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579645.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c4a8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c4a8.exe -
Executes dropped EXE 3 IoCs
pid Process 2344 e579645.exe 4092 e5797cb.exe 4116 e57c4a8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579645.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c4a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c4a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c4a8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c4a8.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e579645.exe File opened (read-only) \??\E: e579645.exe File opened (read-only) \??\K: e579645.exe File opened (read-only) \??\L: e579645.exe File opened (read-only) \??\M: e579645.exe File opened (read-only) \??\G: e579645.exe File opened (read-only) \??\H: e579645.exe File opened (read-only) \??\I: e579645.exe File opened (read-only) \??\J: e579645.exe -
resource yara_rule behavioral2/memory/2344-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-24-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-30-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-32-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-34-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-45-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-55-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-56-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-57-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-60-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-61-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-63-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-65-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-68-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2344-70-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4116-105-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4116-116-0x0000000000830000-0x00000000018EA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5796c2 e579645.exe File opened for modification C:\Windows\SYSTEM.INI e579645.exe File created C:\Windows\e57ec35 e57c4a8.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579645.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5797cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c4a8.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2344 e579645.exe 2344 e579645.exe 2344 e579645.exe 2344 e579645.exe 4116 e57c4a8.exe 4116 e57c4a8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe Token: SeDebugPrivilege 2344 e579645.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2624 2376 rundll32.exe 83 PID 2376 wrote to memory of 2624 2376 rundll32.exe 83 PID 2376 wrote to memory of 2624 2376 rundll32.exe 83 PID 2624 wrote to memory of 2344 2624 rundll32.exe 84 PID 2624 wrote to memory of 2344 2624 rundll32.exe 84 PID 2624 wrote to memory of 2344 2624 rundll32.exe 84 PID 2344 wrote to memory of 788 2344 e579645.exe 9 PID 2344 wrote to memory of 796 2344 e579645.exe 10 PID 2344 wrote to memory of 316 2344 e579645.exe 13 PID 2344 wrote to memory of 2608 2344 e579645.exe 44 PID 2344 wrote to memory of 2660 2344 e579645.exe 45 PID 2344 wrote to memory of 2936 2344 e579645.exe 51 PID 2344 wrote to memory of 3444 2344 e579645.exe 56 PID 2344 wrote to memory of 3552 2344 e579645.exe 57 PID 2344 wrote to memory of 3756 2344 e579645.exe 58 PID 2344 wrote to memory of 3848 2344 e579645.exe 59 PID 2344 wrote to memory of 3912 2344 e579645.exe 60 PID 2344 wrote to memory of 4000 2344 e579645.exe 61 PID 2344 wrote to memory of 3600 2344 e579645.exe 62 PID 2344 wrote to memory of 4328 2344 e579645.exe 75 PID 2344 wrote to memory of 1992 2344 e579645.exe 76 PID 2344 wrote to memory of 5028 2344 e579645.exe 81 PID 2344 wrote to memory of 2376 2344 e579645.exe 82 PID 2344 wrote to memory of 2624 2344 e579645.exe 83 PID 2344 wrote to memory of 2624 2344 e579645.exe 83 PID 2624 wrote to memory of 4092 2624 rundll32.exe 85 PID 2624 wrote to memory of 4092 2624 rundll32.exe 85 PID 2624 wrote to memory of 4092 2624 rundll32.exe 85 PID 2344 wrote to memory of 788 2344 e579645.exe 9 PID 2344 wrote to memory of 796 2344 e579645.exe 10 PID 2344 wrote to memory of 316 2344 e579645.exe 13 PID 2344 wrote to memory of 2608 2344 e579645.exe 44 PID 2344 wrote to memory of 2660 2344 e579645.exe 45 PID 2344 wrote to memory of 2936 2344 e579645.exe 51 PID 2344 wrote to memory of 3444 2344 e579645.exe 56 PID 2344 wrote to memory of 3552 2344 e579645.exe 57 PID 2344 wrote to memory of 3756 2344 e579645.exe 58 PID 2344 wrote to memory of 3848 2344 e579645.exe 59 PID 2344 wrote to memory of 3912 2344 e579645.exe 60 PID 2344 wrote to memory of 4000 2344 e579645.exe 61 PID 2344 wrote to memory of 3600 2344 e579645.exe 62 PID 2344 wrote to memory of 4328 2344 e579645.exe 75 PID 2344 wrote to memory of 1992 2344 e579645.exe 76 PID 2344 wrote to memory of 5028 2344 e579645.exe 81 PID 2344 wrote to memory of 2376 2344 e579645.exe 82 PID 2344 wrote to memory of 4092 2344 e579645.exe 85 PID 2344 wrote to memory of 4092 2344 e579645.exe 85 PID 2624 wrote to memory of 4116 2624 rundll32.exe 86 PID 2624 wrote to memory of 4116 2624 rundll32.exe 86 PID 2624 wrote to memory of 4116 2624 rundll32.exe 86 PID 4116 wrote to memory of 788 4116 e57c4a8.exe 9 PID 4116 wrote to memory of 796 4116 e57c4a8.exe 10 PID 4116 wrote to memory of 316 4116 e57c4a8.exe 13 PID 4116 wrote to memory of 2608 4116 e57c4a8.exe 44 PID 4116 wrote to memory of 2660 4116 e57c4a8.exe 45 PID 4116 wrote to memory of 2936 4116 e57c4a8.exe 51 PID 4116 wrote to memory of 3444 4116 e57c4a8.exe 56 PID 4116 wrote to memory of 3552 4116 e57c4a8.exe 57 PID 4116 wrote to memory of 3756 4116 e57c4a8.exe 58 PID 4116 wrote to memory of 3848 4116 e57c4a8.exe 59 PID 4116 wrote to memory of 3912 4116 e57c4a8.exe 60 PID 4116 wrote to memory of 4000 4116 e57c4a8.exe 61 PID 4116 wrote to memory of 3600 4116 e57c4a8.exe 62 PID 4116 wrote to memory of 4328 4116 e57c4a8.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c4a8.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2936
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\e579645.exeC:\Users\Admin\AppData\Local\Temp\e579645.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\e5797cb.exeC:\Users\Admin\AppData\Local\Temp\e5797cb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4092
-
-
C:\Users\Admin\AppData\Local\Temp\e57c4a8.exeC:\Users\Admin\AppData\Local\Temp\e57c4a8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4116
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3600
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4328
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1992
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5028
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58235519fb109f89b832650647fe39530
SHA1816b47d09190a4dde42872f54d76dce97e67d22f
SHA256fd5f402d2461e5e2fa253d26a39923e2ff94f1d8005114679275fd97f51cde1e
SHA5129bbe823a86394ef15a523ebb5346a2fab484e136d5adcd96bcf35aa1154b8f42c3c23323054bf6a9ab3cf39895b767e4e79a64db4d5a9bdcb1abe468722687f7
-
Filesize
257B
MD56c315d9098e9abe804a1893b9577ca64
SHA1b7051d4c0345b3f67f5745d5491b2e776ddc7373
SHA256709eced6aad7c9c6caf43831a722d14ade6320088709ec66153ad966519cae32
SHA5121bbaf3a3afc7971f3eae172f30a8bc4ef2c15fea7fdc65eb8bb0403e9fc1b1f679d963fc44e4a4be62b5c09d32b1f09c03d9368941f80ca63c9ce69cfc4ccf6f