Analysis
-
max time kernel
34s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 04:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
654844ca91dba2b18ecc2021afa724aff5b92e280dcd794f15359817c7833a29N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
654844ca91dba2b18ecc2021afa724aff5b92e280dcd794f15359817c7833a29N.dll
-
Size
120KB
-
MD5
77f296ef5549e7a62302d88c73c11670
-
SHA1
fbda72dce260278a0a15ae8dde11041b4f745664
-
SHA256
654844ca91dba2b18ecc2021afa724aff5b92e280dcd794f15359817c7833a29
-
SHA512
3660d76497a72f226a08e81b54687d1dda44fc6c5e7bdb0d3dc6263deb53b2e36e5fa4fe62cd12e5a1165d92c9287827499b95f10ce4ca65ff095aa0fcf11419
-
SSDEEP
1536:GZQq4WM74TFu2Q6DdfC7Oicg7R4NG0M42Ku8BsKHTxOnWpJWZP:Gf4WMUM2QqfC7Oicg7R4ol4eqsonW
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5763fa.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5763fa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579c6f.exe -
Executes dropped EXE 4 IoCs
pid Process 836 e5763fa.exe 3716 e576532.exe 4708 e579c6f.exe 3132 e579c9e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5763fa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579c6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579c6f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579c6f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579c6f.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5763fa.exe File opened (read-only) \??\J: e5763fa.exe File opened (read-only) \??\G: e579c6f.exe File opened (read-only) \??\H: e579c6f.exe File opened (read-only) \??\G: e5763fa.exe File opened (read-only) \??\H: e5763fa.exe File opened (read-only) \??\I: e5763fa.exe File opened (read-only) \??\K: e5763fa.exe File opened (read-only) \??\E: e579c6f.exe -
resource yara_rule behavioral2/memory/836-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-17-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-23-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-12-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-33-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-27-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-34-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-46-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-58-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-63-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-64-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-65-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-67-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/836-68-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4708-101-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4708-95-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4708-98-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4708-102-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4708-146-0x0000000000770000-0x000000000182A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e576448 e5763fa.exe File opened for modification C:\Windows\SYSTEM.INI e5763fa.exe File created C:\Windows\e57c3fc e579c6f.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579c9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5763fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e576532.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579c6f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 836 e5763fa.exe 836 e5763fa.exe 836 e5763fa.exe 836 e5763fa.exe 4708 e579c6f.exe 4708 e579c6f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe Token: SeDebugPrivilege 836 e5763fa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3320 wrote to memory of 2328 3320 rundll32.exe 84 PID 3320 wrote to memory of 2328 3320 rundll32.exe 84 PID 3320 wrote to memory of 2328 3320 rundll32.exe 84 PID 2328 wrote to memory of 836 2328 rundll32.exe 85 PID 2328 wrote to memory of 836 2328 rundll32.exe 85 PID 2328 wrote to memory of 836 2328 rundll32.exe 85 PID 836 wrote to memory of 772 836 e5763fa.exe 8 PID 836 wrote to memory of 776 836 e5763fa.exe 9 PID 836 wrote to memory of 316 836 e5763fa.exe 13 PID 836 wrote to memory of 2652 836 e5763fa.exe 44 PID 836 wrote to memory of 2688 836 e5763fa.exe 45 PID 836 wrote to memory of 2784 836 e5763fa.exe 47 PID 836 wrote to memory of 3520 836 e5763fa.exe 56 PID 836 wrote to memory of 3660 836 e5763fa.exe 57 PID 836 wrote to memory of 3848 836 e5763fa.exe 58 PID 836 wrote to memory of 3944 836 e5763fa.exe 59 PID 836 wrote to memory of 4004 836 e5763fa.exe 60 PID 836 wrote to memory of 4084 836 e5763fa.exe 61 PID 836 wrote to memory of 4192 836 e5763fa.exe 62 PID 836 wrote to memory of 3728 836 e5763fa.exe 74 PID 836 wrote to memory of 3180 836 e5763fa.exe 76 PID 836 wrote to memory of 3416 836 e5763fa.exe 77 PID 836 wrote to memory of 2864 836 e5763fa.exe 82 PID 836 wrote to memory of 3320 836 e5763fa.exe 83 PID 836 wrote to memory of 2328 836 e5763fa.exe 84 PID 836 wrote to memory of 2328 836 e5763fa.exe 84 PID 2328 wrote to memory of 3716 2328 rundll32.exe 86 PID 2328 wrote to memory of 3716 2328 rundll32.exe 86 PID 2328 wrote to memory of 3716 2328 rundll32.exe 86 PID 836 wrote to memory of 772 836 e5763fa.exe 8 PID 836 wrote to memory of 776 836 e5763fa.exe 9 PID 836 wrote to memory of 316 836 e5763fa.exe 13 PID 836 wrote to memory of 2652 836 e5763fa.exe 44 PID 836 wrote to memory of 2688 836 e5763fa.exe 45 PID 836 wrote to memory of 2784 836 e5763fa.exe 47 PID 836 wrote to memory of 3520 836 e5763fa.exe 56 PID 836 wrote to memory of 3660 836 e5763fa.exe 57 PID 836 wrote to memory of 3848 836 e5763fa.exe 58 PID 836 wrote to memory of 3944 836 e5763fa.exe 59 PID 836 wrote to memory of 4004 836 e5763fa.exe 60 PID 836 wrote to memory of 4084 836 e5763fa.exe 61 PID 836 wrote to memory of 4192 836 e5763fa.exe 62 PID 836 wrote to memory of 3728 836 e5763fa.exe 74 PID 836 wrote to memory of 3180 836 e5763fa.exe 76 PID 836 wrote to memory of 3416 836 e5763fa.exe 77 PID 836 wrote to memory of 2864 836 e5763fa.exe 82 PID 836 wrote to memory of 3320 836 e5763fa.exe 83 PID 836 wrote to memory of 3716 836 e5763fa.exe 86 PID 836 wrote to memory of 3716 836 e5763fa.exe 86 PID 2328 wrote to memory of 4708 2328 rundll32.exe 87 PID 2328 wrote to memory of 4708 2328 rundll32.exe 87 PID 2328 wrote to memory of 4708 2328 rundll32.exe 87 PID 2328 wrote to memory of 3132 2328 rundll32.exe 88 PID 2328 wrote to memory of 3132 2328 rundll32.exe 88 PID 2328 wrote to memory of 3132 2328 rundll32.exe 88 PID 4708 wrote to memory of 772 4708 e579c6f.exe 8 PID 4708 wrote to memory of 776 4708 e579c6f.exe 9 PID 4708 wrote to memory of 316 4708 e579c6f.exe 13 PID 4708 wrote to memory of 2652 4708 e579c6f.exe 44 PID 4708 wrote to memory of 2688 4708 e579c6f.exe 45 PID 4708 wrote to memory of 2784 4708 e579c6f.exe 47 PID 4708 wrote to memory of 3520 4708 e579c6f.exe 56 PID 4708 wrote to memory of 3660 4708 e579c6f.exe 57 PID 4708 wrote to memory of 3848 4708 e579c6f.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5763fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579c6f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2688
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2784
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654844ca91dba2b18ecc2021afa724aff5b92e280dcd794f15359817c7833a29N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654844ca91dba2b18ecc2021afa724aff5b92e280dcd794f15359817c7833a29N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\e5763fa.exeC:\Users\Admin\AppData\Local\Temp\e5763fa.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\e576532.exeC:\Users\Admin\AppData\Local\Temp\e576532.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Users\Admin\AppData\Local\Temp\e579c6f.exeC:\Users\Admin\AppData\Local\Temp\e579c6f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\e579c9e.exeC:\Users\Admin\AppData\Local\Temp\e579c9e.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3728
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3180
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3416
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59044f67c1b21fdb8847ffb6861f3f221
SHA1ffddde00455b42f304fbf942599c02a8f95ea0a7
SHA2564df63bd42fc848c931d2b2ff46b71a38e35c2914096603d695fc3b12dfde8af8
SHA512a8a0b5d917d3e16a58c454c65e34de865e104480a1f4aea27e8dfff1ca83c627b4844595694e75ecb5fdac9a01310ebabe43e2837e8571ee065e70f53bdf087b
-
Filesize
257B
MD500ae24371c881f5a1b7c1e37dd86b761
SHA11a02c59d15ca7906950d2331a5317f96785a2f10
SHA25687d041a71023c7baedc0425284a9323533ea7e308fe113814caca5d0a68f74fb
SHA512c5bb7b6e7d1eb4bd1b74ba88713b8c0a8d27ba00aa78fc759d1731db6ac5ce9ed4f363c0f9578c76562926cf9971a209029b4c6c0a82f423830b255a9c542ec1