Analysis
-
max time kernel
32s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 14:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8443cdf3e9858a271ad0af65d4e76714fb874ced7c6a52a4ea4225bd280094e7N.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8443cdf3e9858a271ad0af65d4e76714fb874ced7c6a52a4ea4225bd280094e7N.dll
-
Size
120KB
-
MD5
61f548c0904104195dede2c1c45410c0
-
SHA1
c322f1da2ebb06f11f04e360675205d12ecfb8c8
-
SHA256
8443cdf3e9858a271ad0af65d4e76714fb874ced7c6a52a4ea4225bd280094e7
-
SHA512
c5ab1050d95ed126ac9407b7bfef8dcae45e6a4194d7d3d9d30f7f01d141134836b3b06b0ec68c4ceac180a947acb0f342080c3e7d50d37bab3c8327e3ad40be
-
SSDEEP
3072:N4Zh5gLRUPXcGZ7RhUIF9ah05E9pMkpFWNwzBpmHC:N4fg+PXcGZNhUIFghUkpQKzP
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bff4.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f04b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bff4.exe -
Executes dropped EXE 3 IoCs
pid Process 272 e57bff4.exe 3556 e57c13d.exe 3088 e57f04b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f04b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f04b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f04b.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57bff4.exe File opened (read-only) \??\I: e57bff4.exe File opened (read-only) \??\J: e57bff4.exe File opened (read-only) \??\L: e57bff4.exe File opened (read-only) \??\E: e57f04b.exe File opened (read-only) \??\E: e57bff4.exe File opened (read-only) \??\K: e57bff4.exe File opened (read-only) \??\G: e57f04b.exe File opened (read-only) \??\H: e57f04b.exe File opened (read-only) \??\I: e57f04b.exe File opened (read-only) \??\H: e57bff4.exe -
resource yara_rule behavioral2/memory/272-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-24-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-23-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-26-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-33-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-22-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-53-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-54-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-56-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-58-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-60-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-61-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-62-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/272-65-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3088-96-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3088-98-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3088-95-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3088-101-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3088-122-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3088-147-0x0000000000750000-0x000000000180A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c062 e57bff4.exe File opened for modification C:\Windows\SYSTEM.INI e57bff4.exe File created C:\Windows\e58179a e57f04b.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f04b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bff4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c13d.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 272 e57bff4.exe 272 e57bff4.exe 272 e57bff4.exe 272 e57bff4.exe 3088 e57f04b.exe 3088 e57f04b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe Token: SeDebugPrivilege 272 e57bff4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2220 2284 rundll32.exe 87 PID 2284 wrote to memory of 2220 2284 rundll32.exe 87 PID 2284 wrote to memory of 2220 2284 rundll32.exe 87 PID 2220 wrote to memory of 272 2220 rundll32.exe 88 PID 2220 wrote to memory of 272 2220 rundll32.exe 88 PID 2220 wrote to memory of 272 2220 rundll32.exe 88 PID 272 wrote to memory of 812 272 e57bff4.exe 9 PID 272 wrote to memory of 816 272 e57bff4.exe 10 PID 272 wrote to memory of 396 272 e57bff4.exe 13 PID 272 wrote to memory of 3040 272 e57bff4.exe 51 PID 272 wrote to memory of 2772 272 e57bff4.exe 52 PID 272 wrote to memory of 3132 272 e57bff4.exe 53 PID 272 wrote to memory of 3444 272 e57bff4.exe 56 PID 272 wrote to memory of 3592 272 e57bff4.exe 57 PID 272 wrote to memory of 3784 272 e57bff4.exe 58 PID 272 wrote to memory of 3876 272 e57bff4.exe 59 PID 272 wrote to memory of 3976 272 e57bff4.exe 60 PID 272 wrote to memory of 4064 272 e57bff4.exe 61 PID 272 wrote to memory of 4124 272 e57bff4.exe 62 PID 272 wrote to memory of 1944 272 e57bff4.exe 74 PID 272 wrote to memory of 4564 272 e57bff4.exe 76 PID 272 wrote to memory of 2100 272 e57bff4.exe 77 PID 272 wrote to memory of 5104 272 e57bff4.exe 78 PID 272 wrote to memory of 4880 272 e57bff4.exe 85 PID 272 wrote to memory of 2284 272 e57bff4.exe 86 PID 272 wrote to memory of 2220 272 e57bff4.exe 87 PID 272 wrote to memory of 2220 272 e57bff4.exe 87 PID 2220 wrote to memory of 3556 2220 rundll32.exe 89 PID 2220 wrote to memory of 3556 2220 rundll32.exe 89 PID 2220 wrote to memory of 3556 2220 rundll32.exe 89 PID 272 wrote to memory of 812 272 e57bff4.exe 9 PID 272 wrote to memory of 816 272 e57bff4.exe 10 PID 272 wrote to memory of 396 272 e57bff4.exe 13 PID 272 wrote to memory of 3040 272 e57bff4.exe 51 PID 272 wrote to memory of 2772 272 e57bff4.exe 52 PID 272 wrote to memory of 3132 272 e57bff4.exe 53 PID 272 wrote to memory of 3444 272 e57bff4.exe 56 PID 272 wrote to memory of 3592 272 e57bff4.exe 57 PID 272 wrote to memory of 3784 272 e57bff4.exe 58 PID 272 wrote to memory of 3876 272 e57bff4.exe 59 PID 272 wrote to memory of 3976 272 e57bff4.exe 60 PID 272 wrote to memory of 4064 272 e57bff4.exe 61 PID 272 wrote to memory of 4124 272 e57bff4.exe 62 PID 272 wrote to memory of 1944 272 e57bff4.exe 74 PID 272 wrote to memory of 4564 272 e57bff4.exe 76 PID 272 wrote to memory of 5104 272 e57bff4.exe 78 PID 272 wrote to memory of 4880 272 e57bff4.exe 85 PID 272 wrote to memory of 2284 272 e57bff4.exe 86 PID 272 wrote to memory of 3556 272 e57bff4.exe 89 PID 272 wrote to memory of 3556 272 e57bff4.exe 89 PID 2220 wrote to memory of 3088 2220 rundll32.exe 90 PID 2220 wrote to memory of 3088 2220 rundll32.exe 90 PID 2220 wrote to memory of 3088 2220 rundll32.exe 90 PID 3088 wrote to memory of 812 3088 e57f04b.exe 9 PID 3088 wrote to memory of 816 3088 e57f04b.exe 10 PID 3088 wrote to memory of 396 3088 e57f04b.exe 13 PID 3088 wrote to memory of 3040 3088 e57f04b.exe 51 PID 3088 wrote to memory of 2772 3088 e57f04b.exe 52 PID 3088 wrote to memory of 3132 3088 e57f04b.exe 53 PID 3088 wrote to memory of 3444 3088 e57f04b.exe 56 PID 3088 wrote to memory of 3592 3088 e57f04b.exe 57 PID 3088 wrote to memory of 3784 3088 e57f04b.exe 58 PID 3088 wrote to memory of 3876 3088 e57f04b.exe 59 PID 3088 wrote to memory of 3976 3088 e57f04b.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f04b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:812
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:396
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2772
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3132
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8443cdf3e9858a271ad0af65d4e76714fb874ced7c6a52a4ea4225bd280094e7N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8443cdf3e9858a271ad0af65d4e76714fb874ced7c6a52a4ea4225bd280094e7N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\e57bff4.exeC:\Users\Admin\AppData\Local\Temp\e57bff4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:272
-
-
C:\Users\Admin\AppData\Local\Temp\e57c13d.exeC:\Users\Admin\AppData\Local\Temp\e57c13d.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\e57f04b.exeC:\Users\Admin\AppData\Local\Temp\e57f04b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3088
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4564
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2100
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5104
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4880
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD535fc85d571b4b495a7e84a32414fd245
SHA1880db62ab4f63ce666a5dd8f8e5ab3786b0ed4af
SHA256e3c0f5aaf3b895e6c67e100b201ac090164139ddc21ac3a852d361ca8b1545a3
SHA512bcd8f0c48402b9a4171837d9b86ea51cfaefe319f75fbed58d6d3129e44a7e5b0560cdbdc023f81e26c30fa63f53a4e0ce88d0bc07e20dc0ff099856f5bfb1e4
-
Filesize
257B
MD5e51bc22eef364a4a1e5b418ebdde8a58
SHA1507a8ac4c5087f3446fbeb5eb146bfd4c8e47365
SHA25640c5ee117a8a4eaa2cf41229c1ebe4a18d92d03d2f8280319cf3a681a30332c4
SHA5124cdbff9fa39fea5299547acfc117dfc3d4050c9f87fb2b874049eb486af62c654e1cbc38b2d8e83ab39953a63d4497d61055447d554cc5d91cabc43d9d4a7aca