Analysis
-
max time kernel
32s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 15:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2cN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2cN.dll
-
Size
120KB
-
MD5
d4d9eed9ba0d0b07623a57c29cdbdf10
-
SHA1
60a540135a13a0941d76548f4a0e5849786c7797
-
SHA256
00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2c
-
SHA512
d2ad6c94b788c9aab5a20ef156e2bd6eff808e9934eb6ded7a554e5b8bab901e537563dfbc450e7339bc96da07108c5b94e297694aa9cadf17c15623da8b6126
-
SSDEEP
1536:KAjgel2pHKnfktQ13oJ45y/b8ddA7xowtqGHLXmZ0rO4Hikw92cDH9LTA:zUpqnfkQ666bWdA7uw17yQnHikk2cDu
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a596.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a596.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a596.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d65b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d65b.exe -
Executes dropped EXE 3 IoCs
pid Process 2656 e57a596.exe 3272 e57a77b.exe 1864 e57d65b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a596.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d65b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d65b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a596.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d65b.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57a596.exe File opened (read-only) \??\H: e57a596.exe File opened (read-only) \??\I: e57a596.exe File opened (read-only) \??\M: e57a596.exe File opened (read-only) \??\G: e57d65b.exe File opened (read-only) \??\H: e57d65b.exe File opened (read-only) \??\G: e57a596.exe File opened (read-only) \??\J: e57a596.exe File opened (read-only) \??\K: e57a596.exe File opened (read-only) \??\L: e57a596.exe File opened (read-only) \??\E: e57d65b.exe File opened (read-only) \??\I: e57d65b.exe -
resource yara_rule behavioral2/memory/2656-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-24-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-14-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-13-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-33-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-46-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-55-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-57-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-59-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-61-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-62-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-63-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-68-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2656-72-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1864-94-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1864-99-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1864-124-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1864-149-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a5f4 e57a596.exe File opened for modification C:\Windows\SYSTEM.INI e57a596.exe File created C:\Windows\e57fe55 e57d65b.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a596.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a77b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d65b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2656 e57a596.exe 2656 e57a596.exe 2656 e57a596.exe 2656 e57a596.exe 1864 e57d65b.exe 1864 e57d65b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe Token: SeDebugPrivilege 2656 e57a596.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3440 wrote to memory of 3592 3440 rundll32.exe 82 PID 3440 wrote to memory of 3592 3440 rundll32.exe 82 PID 3440 wrote to memory of 3592 3440 rundll32.exe 82 PID 3592 wrote to memory of 2656 3592 rundll32.exe 83 PID 3592 wrote to memory of 2656 3592 rundll32.exe 83 PID 3592 wrote to memory of 2656 3592 rundll32.exe 83 PID 2656 wrote to memory of 776 2656 e57a596.exe 8 PID 2656 wrote to memory of 780 2656 e57a596.exe 9 PID 2656 wrote to memory of 316 2656 e57a596.exe 13 PID 2656 wrote to memory of 2972 2656 e57a596.exe 50 PID 2656 wrote to memory of 3060 2656 e57a596.exe 51 PID 2656 wrote to memory of 672 2656 e57a596.exe 52 PID 2656 wrote to memory of 3396 2656 e57a596.exe 56 PID 2656 wrote to memory of 3536 2656 e57a596.exe 57 PID 2656 wrote to memory of 3732 2656 e57a596.exe 58 PID 2656 wrote to memory of 3820 2656 e57a596.exe 59 PID 2656 wrote to memory of 3888 2656 e57a596.exe 60 PID 2656 wrote to memory of 3968 2656 e57a596.exe 61 PID 2656 wrote to memory of 3480 2656 e57a596.exe 62 PID 2656 wrote to memory of 5108 2656 e57a596.exe 64 PID 2656 wrote to memory of 1192 2656 e57a596.exe 75 PID 2656 wrote to memory of 3440 2656 e57a596.exe 81 PID 2656 wrote to memory of 3592 2656 e57a596.exe 82 PID 2656 wrote to memory of 3592 2656 e57a596.exe 82 PID 3592 wrote to memory of 3272 3592 rundll32.exe 84 PID 3592 wrote to memory of 3272 3592 rundll32.exe 84 PID 3592 wrote to memory of 3272 3592 rundll32.exe 84 PID 2656 wrote to memory of 776 2656 e57a596.exe 8 PID 2656 wrote to memory of 780 2656 e57a596.exe 9 PID 2656 wrote to memory of 316 2656 e57a596.exe 13 PID 2656 wrote to memory of 2972 2656 e57a596.exe 50 PID 2656 wrote to memory of 3060 2656 e57a596.exe 51 PID 2656 wrote to memory of 672 2656 e57a596.exe 52 PID 2656 wrote to memory of 3396 2656 e57a596.exe 56 PID 2656 wrote to memory of 3536 2656 e57a596.exe 57 PID 2656 wrote to memory of 3732 2656 e57a596.exe 58 PID 2656 wrote to memory of 3820 2656 e57a596.exe 59 PID 2656 wrote to memory of 3888 2656 e57a596.exe 60 PID 2656 wrote to memory of 3968 2656 e57a596.exe 61 PID 2656 wrote to memory of 3480 2656 e57a596.exe 62 PID 2656 wrote to memory of 5108 2656 e57a596.exe 64 PID 2656 wrote to memory of 1192 2656 e57a596.exe 75 PID 2656 wrote to memory of 3440 2656 e57a596.exe 81 PID 2656 wrote to memory of 3272 2656 e57a596.exe 84 PID 2656 wrote to memory of 3272 2656 e57a596.exe 84 PID 3592 wrote to memory of 1864 3592 rundll32.exe 85 PID 3592 wrote to memory of 1864 3592 rundll32.exe 85 PID 3592 wrote to memory of 1864 3592 rundll32.exe 85 PID 1864 wrote to memory of 776 1864 e57d65b.exe 8 PID 1864 wrote to memory of 780 1864 e57d65b.exe 9 PID 1864 wrote to memory of 316 1864 e57d65b.exe 13 PID 1864 wrote to memory of 2972 1864 e57d65b.exe 50 PID 1864 wrote to memory of 3060 1864 e57d65b.exe 51 PID 1864 wrote to memory of 672 1864 e57d65b.exe 52 PID 1864 wrote to memory of 3396 1864 e57d65b.exe 56 PID 1864 wrote to memory of 3536 1864 e57d65b.exe 57 PID 1864 wrote to memory of 3732 1864 e57d65b.exe 58 PID 1864 wrote to memory of 3820 1864 e57d65b.exe 59 PID 1864 wrote to memory of 3888 1864 e57d65b.exe 60 PID 1864 wrote to memory of 3968 1864 e57d65b.exe 61 PID 1864 wrote to memory of 3480 1864 e57d65b.exe 62 PID 1864 wrote to memory of 5108 1864 e57d65b.exe 64 PID 1864 wrote to memory of 1192 1864 e57d65b.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a596.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d65b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3060
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2cN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2cN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\e57a596.exeC:\Users\Admin\AppData\Local\Temp\e57a596.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\e57a77b.exeC:\Users\Admin\AppData\Local\Temp\e57a77b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\e57d65b.exeC:\Users\Admin\AppData\Local\Temp\e57d65b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1864
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3480
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5108
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1192
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5aeedaa4ab3ec0bb5dc1871d489a38547
SHA122b183f00b9ffba0723481262b22228a66099e73
SHA25647db4fb291a3ea9bec3d18b293ea41fe2b34d0b63bd2de8a055c1325ce2eea9b
SHA5122ab218dd78c8d6abcd9de618211e71f91abe01b1f21fd13f7da844a95d5965d8b847b70e54af65068ff7651bc29a46df4ecaf54a8bfcd119a4fd94efa21b4e6f
-
Filesize
257B
MD5aa5cde7b8b2b86d61684d29cae5d03f6
SHA13313e8c218918952f4e98d5d5243bdc51154a26a
SHA25650b0b8acc4b0968e11c1c07359b69ff42c7543ee804f4e03290be27118376df9
SHA512c95cf03672501ccca00b32000d61999cf02c44b9d046436d8b44968cd9692031eb8bd26f067cf1081e1f20e82d4819aa4aaabf77d96a92a9f2e335d5219af0d2