Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 06:29
Static task
static1
Behavioral task
behavioral1
Sample
f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll
Resource
win7-20241010-en
General
-
Target
f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll
-
Size
120KB
-
MD5
6d58ebb855a53c7d49ae3f9e82de0980
-
SHA1
6eba10167620bd6d7d5c4a602e898f7c0ac0ec34
-
SHA256
f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8
-
SHA512
03657beb2ffb8b3db6459c8f8a30539460288cc48d1885e0ad9ab146b93890fec6beea0718d7f1cdd983fa8ae884b09fbb3e657d141b3559d3a3cf8789d132e6
-
SSDEEP
3072:SeGoxa5LYHBZ5rZJDFiPyjx4toccPRFLBUxlBc6Q:EwiczBZGPyjxCoVNilT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57978d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c208.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c208.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57978d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c208.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c208.exe -
Executes dropped EXE 4 IoCs
pid Process 4460 e57978d.exe 2512 e579952.exe 2444 e57c208.exe 4936 e57c227.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c208.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57978d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c208.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c208.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c208.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57978d.exe File opened (read-only) \??\G: e57978d.exe File opened (read-only) \??\H: e57978d.exe File opened (read-only) \??\I: e57978d.exe File opened (read-only) \??\K: e57978d.exe File opened (read-only) \??\M: e57978d.exe File opened (read-only) \??\G: e57c208.exe File opened (read-only) \??\H: e57c208.exe File opened (read-only) \??\J: e57978d.exe File opened (read-only) \??\L: e57978d.exe File opened (read-only) \??\E: e57c208.exe File opened (read-only) \??\I: e57c208.exe File opened (read-only) \??\J: e57c208.exe -
resource yara_rule behavioral2/memory/4460-6-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-9-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-17-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-25-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-31-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-33-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-34-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-11-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-10-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-8-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-35-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-36-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-37-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-38-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-39-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-59-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-60-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-62-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-63-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-65-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-66-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-70-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-71-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4460-79-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/2444-97-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/2444-113-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/2444-156-0x0000000000790000-0x000000000184A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579819 e57978d.exe File opened for modification C:\Windows\SYSTEM.INI e57978d.exe File created C:\Windows\e57e995 e57c208.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57978d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579952.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c227.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4460 e57978d.exe 4460 e57978d.exe 4460 e57978d.exe 4460 e57978d.exe 2444 e57c208.exe 2444 e57c208.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe Token: SeDebugPrivilege 4460 e57978d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4072 wrote to memory of 1660 4072 rundll32.exe 82 PID 4072 wrote to memory of 1660 4072 rundll32.exe 82 PID 4072 wrote to memory of 1660 4072 rundll32.exe 82 PID 1660 wrote to memory of 4460 1660 rundll32.exe 83 PID 1660 wrote to memory of 4460 1660 rundll32.exe 83 PID 1660 wrote to memory of 4460 1660 rundll32.exe 83 PID 4460 wrote to memory of 780 4460 e57978d.exe 8 PID 4460 wrote to memory of 788 4460 e57978d.exe 9 PID 4460 wrote to memory of 1016 4460 e57978d.exe 13 PID 4460 wrote to memory of 2552 4460 e57978d.exe 44 PID 4460 wrote to memory of 2564 4460 e57978d.exe 45 PID 4460 wrote to memory of 2740 4460 e57978d.exe 48 PID 4460 wrote to memory of 3560 4460 e57978d.exe 56 PID 4460 wrote to memory of 3696 4460 e57978d.exe 57 PID 4460 wrote to memory of 3872 4460 e57978d.exe 58 PID 4460 wrote to memory of 3972 4460 e57978d.exe 59 PID 4460 wrote to memory of 4048 4460 e57978d.exe 60 PID 4460 wrote to memory of 668 4460 e57978d.exe 61 PID 4460 wrote to memory of 3620 4460 e57978d.exe 62 PID 4460 wrote to memory of 4644 4460 e57978d.exe 64 PID 4460 wrote to memory of 2816 4460 e57978d.exe 76 PID 4460 wrote to memory of 4072 4460 e57978d.exe 81 PID 4460 wrote to memory of 1660 4460 e57978d.exe 82 PID 4460 wrote to memory of 1660 4460 e57978d.exe 82 PID 1660 wrote to memory of 2512 1660 rundll32.exe 84 PID 1660 wrote to memory of 2512 1660 rundll32.exe 84 PID 1660 wrote to memory of 2512 1660 rundll32.exe 84 PID 4460 wrote to memory of 780 4460 e57978d.exe 8 PID 4460 wrote to memory of 788 4460 e57978d.exe 9 PID 4460 wrote to memory of 1016 4460 e57978d.exe 13 PID 4460 wrote to memory of 2552 4460 e57978d.exe 44 PID 4460 wrote to memory of 2564 4460 e57978d.exe 45 PID 4460 wrote to memory of 2740 4460 e57978d.exe 48 PID 4460 wrote to memory of 3560 4460 e57978d.exe 56 PID 4460 wrote to memory of 3696 4460 e57978d.exe 57 PID 4460 wrote to memory of 3872 4460 e57978d.exe 58 PID 4460 wrote to memory of 3972 4460 e57978d.exe 59 PID 4460 wrote to memory of 4048 4460 e57978d.exe 60 PID 4460 wrote to memory of 668 4460 e57978d.exe 61 PID 4460 wrote to memory of 3620 4460 e57978d.exe 62 PID 4460 wrote to memory of 4644 4460 e57978d.exe 64 PID 4460 wrote to memory of 2816 4460 e57978d.exe 76 PID 4460 wrote to memory of 4072 4460 e57978d.exe 81 PID 4460 wrote to memory of 2512 4460 e57978d.exe 84 PID 4460 wrote to memory of 2512 4460 e57978d.exe 84 PID 1660 wrote to memory of 2444 1660 rundll32.exe 85 PID 1660 wrote to memory of 2444 1660 rundll32.exe 85 PID 1660 wrote to memory of 2444 1660 rundll32.exe 85 PID 1660 wrote to memory of 4936 1660 rundll32.exe 86 PID 1660 wrote to memory of 4936 1660 rundll32.exe 86 PID 1660 wrote to memory of 4936 1660 rundll32.exe 86 PID 2444 wrote to memory of 780 2444 e57c208.exe 8 PID 2444 wrote to memory of 788 2444 e57c208.exe 9 PID 2444 wrote to memory of 1016 2444 e57c208.exe 13 PID 2444 wrote to memory of 2552 2444 e57c208.exe 44 PID 2444 wrote to memory of 2564 2444 e57c208.exe 45 PID 2444 wrote to memory of 2740 2444 e57c208.exe 48 PID 2444 wrote to memory of 3560 2444 e57c208.exe 56 PID 2444 wrote to memory of 3696 2444 e57c208.exe 57 PID 2444 wrote to memory of 3872 2444 e57c208.exe 58 PID 2444 wrote to memory of 3972 2444 e57c208.exe 59 PID 2444 wrote to memory of 4048 2444 e57c208.exe 60 PID 2444 wrote to memory of 668 2444 e57c208.exe 61 PID 2444 wrote to memory of 3620 2444 e57c208.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57978d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c208.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2564
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2740
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3560
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\e57978d.exeC:\Users\Admin\AppData\Local\Temp\e57978d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\e579952.exeC:\Users\Admin\AppData\Local\Temp\e579952.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\e57c208.exeC:\Users\Admin\AppData\Local\Temp\e57c208.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\e57c227.exeC:\Users\Admin\AppData\Local\Temp\e57c227.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4936
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4048
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4644
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2816
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b6a4b388c9a8f52c28529ed945b4e3e1
SHA13527c992772ba444151a0db925bd4a7cfe557123
SHA256b70b13a58f73a5c3a4dc8ea762ec9067c25de448926aa8699ab16d52086b7e01
SHA512a378a36c0e2f8957f04fdf925173833e61d68155ff660dc4ec1399c25384935fb637ce38417916952647a67a0ef405fa7b39c4f8fc50b95a8f50b4fc6d0cfdd4
-
Filesize
257B
MD5d53b05e966c7c5115bba6570103c953a
SHA12b32f240056bbf3b651681350508af128a8ef326
SHA256d19832741904bc1a6c231d9e61be91f3fec9d58b0c4a1b780aa9eab2c95e36fc
SHA5127d5fe23810c7907e8cbc68ee6c7d560333759598b6465c23eac3b252aee18da32d380e68131486a9a8e1c9fcbc4cb8e8e3e480509e04e23660a3924f1e1badba