Analysis
-
max time kernel
32s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 10:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e48d0bae80bc4ff6af31c9037a2937f64e2d45aa07dc17263d38ba18b6e93618N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
e48d0bae80bc4ff6af31c9037a2937f64e2d45aa07dc17263d38ba18b6e93618N.dll
-
Size
120KB
-
MD5
957601a4a2ba6e5f0ab03298ed1ae0c0
-
SHA1
bbdfcd0e79db76bef4cf0866827aaa911afa3e40
-
SHA256
e48d0bae80bc4ff6af31c9037a2937f64e2d45aa07dc17263d38ba18b6e93618
-
SHA512
92c9fbb1ebed47ccca04450ffaf0b744aef55c9acc95622afd479777f4bf6c87e308b0b587765c1cea51202738a39a4c2b913078902b4e83501ff7f66e52b93f
-
SSDEEP
1536:x3Y5OdlsWrwDQ2V+bwtSYx6kRsQqQjm4bIrZ+nIItiHug2xeGjPRcTHCClb+:+5/WkJ+bzE6kUIm4bAknDiAx3Vxx
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577c44.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577c44.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ace9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ace9.exe -
Executes dropped EXE 3 IoCs
pid Process 3048 e577c44.exe 3428 e577dcb.exe 2016 e57ace9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577c44.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ace9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577c44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ace9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c44.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e577c44.exe File opened (read-only) \??\J: e577c44.exe File opened (read-only) \??\E: e57ace9.exe File opened (read-only) \??\G: e57ace9.exe File opened (read-only) \??\M: e577c44.exe File opened (read-only) \??\H: e57ace9.exe File opened (read-only) \??\I: e57ace9.exe File opened (read-only) \??\E: e577c44.exe File opened (read-only) \??\H: e577c44.exe File opened (read-only) \??\I: e577c44.exe File opened (read-only) \??\K: e577c44.exe File opened (read-only) \??\L: e577c44.exe -
resource yara_rule behavioral2/memory/3048-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-28-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-30-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-34-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-21-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-26-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-46-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-55-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-56-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-59-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-60-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-62-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-63-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-66-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3048-68-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2016-93-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2016-145-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e577c44.exe File created C:\Windows\e57d457 e57ace9.exe File created C:\Windows\e577c92 e577c44.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577c44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577dcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ace9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3048 e577c44.exe 3048 e577c44.exe 3048 e577c44.exe 3048 e577c44.exe 2016 e57ace9.exe 2016 e57ace9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe Token: SeDebugPrivilege 3048 e577c44.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4524 wrote to memory of 3280 4524 rundll32.exe 82 PID 4524 wrote to memory of 3280 4524 rundll32.exe 82 PID 4524 wrote to memory of 3280 4524 rundll32.exe 82 PID 3280 wrote to memory of 3048 3280 rundll32.exe 83 PID 3280 wrote to memory of 3048 3280 rundll32.exe 83 PID 3280 wrote to memory of 3048 3280 rundll32.exe 83 PID 3048 wrote to memory of 788 3048 e577c44.exe 8 PID 3048 wrote to memory of 796 3048 e577c44.exe 9 PID 3048 wrote to memory of 332 3048 e577c44.exe 13 PID 3048 wrote to memory of 2556 3048 e577c44.exe 42 PID 3048 wrote to memory of 2572 3048 e577c44.exe 43 PID 3048 wrote to memory of 2668 3048 e577c44.exe 46 PID 3048 wrote to memory of 3380 3048 e577c44.exe 56 PID 3048 wrote to memory of 3548 3048 e577c44.exe 57 PID 3048 wrote to memory of 3756 3048 e577c44.exe 58 PID 3048 wrote to memory of 3856 3048 e577c44.exe 59 PID 3048 wrote to memory of 3916 3048 e577c44.exe 60 PID 3048 wrote to memory of 4008 3048 e577c44.exe 61 PID 3048 wrote to memory of 3544 3048 e577c44.exe 62 PID 3048 wrote to memory of 2248 3048 e577c44.exe 74 PID 3048 wrote to memory of 4452 3048 e577c44.exe 76 PID 3048 wrote to memory of 4524 3048 e577c44.exe 81 PID 3048 wrote to memory of 3280 3048 e577c44.exe 82 PID 3048 wrote to memory of 3280 3048 e577c44.exe 82 PID 3280 wrote to memory of 3428 3280 rundll32.exe 84 PID 3280 wrote to memory of 3428 3280 rundll32.exe 84 PID 3280 wrote to memory of 3428 3280 rundll32.exe 84 PID 3048 wrote to memory of 788 3048 e577c44.exe 8 PID 3048 wrote to memory of 796 3048 e577c44.exe 9 PID 3048 wrote to memory of 332 3048 e577c44.exe 13 PID 3048 wrote to memory of 2556 3048 e577c44.exe 42 PID 3048 wrote to memory of 2572 3048 e577c44.exe 43 PID 3048 wrote to memory of 2668 3048 e577c44.exe 46 PID 3048 wrote to memory of 3380 3048 e577c44.exe 56 PID 3048 wrote to memory of 3548 3048 e577c44.exe 57 PID 3048 wrote to memory of 3756 3048 e577c44.exe 58 PID 3048 wrote to memory of 3856 3048 e577c44.exe 59 PID 3048 wrote to memory of 3916 3048 e577c44.exe 60 PID 3048 wrote to memory of 4008 3048 e577c44.exe 61 PID 3048 wrote to memory of 3544 3048 e577c44.exe 62 PID 3048 wrote to memory of 2248 3048 e577c44.exe 74 PID 3048 wrote to memory of 4452 3048 e577c44.exe 76 PID 3048 wrote to memory of 4524 3048 e577c44.exe 81 PID 3048 wrote to memory of 3428 3048 e577c44.exe 84 PID 3048 wrote to memory of 3428 3048 e577c44.exe 84 PID 3280 wrote to memory of 2016 3280 rundll32.exe 85 PID 3280 wrote to memory of 2016 3280 rundll32.exe 85 PID 3280 wrote to memory of 2016 3280 rundll32.exe 85 PID 2016 wrote to memory of 788 2016 e57ace9.exe 8 PID 2016 wrote to memory of 796 2016 e57ace9.exe 9 PID 2016 wrote to memory of 332 2016 e57ace9.exe 13 PID 2016 wrote to memory of 2556 2016 e57ace9.exe 42 PID 2016 wrote to memory of 2572 2016 e57ace9.exe 43 PID 2016 wrote to memory of 2668 2016 e57ace9.exe 46 PID 2016 wrote to memory of 3380 2016 e57ace9.exe 56 PID 2016 wrote to memory of 3548 2016 e57ace9.exe 57 PID 2016 wrote to memory of 3756 2016 e57ace9.exe 58 PID 2016 wrote to memory of 3856 2016 e57ace9.exe 59 PID 2016 wrote to memory of 3916 2016 e57ace9.exe 60 PID 2016 wrote to memory of 4008 2016 e57ace9.exe 61 PID 2016 wrote to memory of 3544 2016 e57ace9.exe 62 PID 2016 wrote to memory of 2248 2016 e57ace9.exe 74 PID 2016 wrote to memory of 4452 2016 e57ace9.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ace9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c44.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2668
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e48d0bae80bc4ff6af31c9037a2937f64e2d45aa07dc17263d38ba18b6e93618N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e48d0bae80bc4ff6af31c9037a2937f64e2d45aa07dc17263d38ba18b6e93618N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\e577c44.exeC:\Users\Admin\AppData\Local\Temp\e577c44.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\e577dcb.exeC:\Users\Admin\AppData\Local\Temp\e577dcb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\e57ace9.exeC:\Users\Admin\AppData\Local\Temp\e57ace9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3544
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4452
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD576841181ced3b6dd8979c2de45dfc2b5
SHA1c518056f26c6a9885c97d3748c29ae3ab8badaf0
SHA256eaf0b6f4c0dae825691856b180b95077c604c5324e82e136e51de96ea587c27a
SHA512fe82a4713046381361c2e24c475273d53c1d1fa428291112b3f6f6b984a5b11c50b524d5283ea8fabcbb56814d862487b68d8dd44ba42599ae4a84a26af1c1a3
-
Filesize
257B
MD5c0765cebdd9105eaeed16099651013d1
SHA1073002c00ce739d016e6336d9e2a9ab812d0f263
SHA256fd6c34111156c90c34f358f9d890c27147e9d378f63a10855de4e98280735908
SHA51274678cacd55a66ea0593d3ca10c1817e93903db96688d6318c36498f9d9e1dcadae3f3ed774e52d3be63ef034145bd441e7490ee1aa12ac0f6dd5147062865e9