Analysis
-
max time kernel
32s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7bf709be2da5b9b5057c2784310a81eef1ba5cf971b880d53e8745ed78d4ba6e.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
7bf709be2da5b9b5057c2784310a81eef1ba5cf971b880d53e8745ed78d4ba6e.dll
-
Size
120KB
-
MD5
723c9be16c2df16fb682a02d883fd723
-
SHA1
b95c6d32470c269345ea4dafb7e469f135bb97fd
-
SHA256
7bf709be2da5b9b5057c2784310a81eef1ba5cf971b880d53e8745ed78d4ba6e
-
SHA512
a2e52ca03e3ff87395e4bb85061bc904cfb502fa5d2fbe23fbc6552d925d98eae352ec17fd20dff64cab251e047685e9e5c7e480cef17d291fe8cd97340e94d0
-
SSDEEP
1536:xzo8bYt+jqCTy0u7rWNBlEIASKyDpTEwKHqwMcgEIyM56ywZC4Eh8L9KGMjnVq:x88bYtsqQaHPSdDqZgEHM56nCN8snRq
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579839.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579839.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c890.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c890.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c890.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c890.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c890.exe -
Executes dropped EXE 4 IoCs
pid Process 1464 e579839.exe 2796 e579a0d.exe 232 e57c890.exe 4972 e57c8af.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c890.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579839.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c890.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c890.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e579839.exe File opened (read-only) \??\K: e579839.exe File opened (read-only) \??\L: e579839.exe File opened (read-only) \??\M: e579839.exe File opened (read-only) \??\H: e57c890.exe File opened (read-only) \??\I: e57c890.exe File opened (read-only) \??\E: e579839.exe File opened (read-only) \??\H: e579839.exe File opened (read-only) \??\I: e579839.exe File opened (read-only) \??\J: e579839.exe File opened (read-only) \??\E: e57c890.exe File opened (read-only) \??\G: e57c890.exe -
resource yara_rule behavioral2/memory/1464-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-13-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-28-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-19-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-29-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-46-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-61-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-63-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-64-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-65-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-67-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-68-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-72-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-73-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/232-99-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/232-113-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/232-156-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/232-157-0x00000000007A0000-0x000000000185A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57effd e57c890.exe File created C:\Windows\e579896 e579839.exe File opened for modification C:\Windows\SYSTEM.INI e579839.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579a0d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c8af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579839.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1464 e579839.exe 1464 e579839.exe 1464 e579839.exe 1464 e579839.exe 232 e57c890.exe 232 e57c890.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe Token: SeDebugPrivilege 1464 e579839.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 4276 3672 rundll32.exe 83 PID 3672 wrote to memory of 4276 3672 rundll32.exe 83 PID 3672 wrote to memory of 4276 3672 rundll32.exe 83 PID 4276 wrote to memory of 1464 4276 rundll32.exe 84 PID 4276 wrote to memory of 1464 4276 rundll32.exe 84 PID 4276 wrote to memory of 1464 4276 rundll32.exe 84 PID 1464 wrote to memory of 784 1464 e579839.exe 8 PID 1464 wrote to memory of 792 1464 e579839.exe 9 PID 1464 wrote to memory of 380 1464 e579839.exe 13 PID 1464 wrote to memory of 2976 1464 e579839.exe 50 PID 1464 wrote to memory of 3004 1464 e579839.exe 51 PID 1464 wrote to memory of 664 1464 e579839.exe 53 PID 1464 wrote to memory of 3452 1464 e579839.exe 56 PID 1464 wrote to memory of 3552 1464 e579839.exe 57 PID 1464 wrote to memory of 3744 1464 e579839.exe 58 PID 1464 wrote to memory of 3836 1464 e579839.exe 59 PID 1464 wrote to memory of 3900 1464 e579839.exe 60 PID 1464 wrote to memory of 3972 1464 e579839.exe 61 PID 1464 wrote to memory of 4144 1464 e579839.exe 62 PID 1464 wrote to memory of 1592 1464 e579839.exe 75 PID 1464 wrote to memory of 1380 1464 e579839.exe 76 PID 1464 wrote to memory of 4600 1464 e579839.exe 81 PID 1464 wrote to memory of 3672 1464 e579839.exe 82 PID 1464 wrote to memory of 4276 1464 e579839.exe 83 PID 1464 wrote to memory of 4276 1464 e579839.exe 83 PID 4276 wrote to memory of 2796 4276 rundll32.exe 85 PID 4276 wrote to memory of 2796 4276 rundll32.exe 85 PID 4276 wrote to memory of 2796 4276 rundll32.exe 85 PID 1464 wrote to memory of 784 1464 e579839.exe 8 PID 1464 wrote to memory of 792 1464 e579839.exe 9 PID 1464 wrote to memory of 380 1464 e579839.exe 13 PID 1464 wrote to memory of 2976 1464 e579839.exe 50 PID 1464 wrote to memory of 3004 1464 e579839.exe 51 PID 1464 wrote to memory of 664 1464 e579839.exe 53 PID 1464 wrote to memory of 3452 1464 e579839.exe 56 PID 1464 wrote to memory of 3552 1464 e579839.exe 57 PID 1464 wrote to memory of 3744 1464 e579839.exe 58 PID 1464 wrote to memory of 3836 1464 e579839.exe 59 PID 1464 wrote to memory of 3900 1464 e579839.exe 60 PID 1464 wrote to memory of 3972 1464 e579839.exe 61 PID 1464 wrote to memory of 4144 1464 e579839.exe 62 PID 1464 wrote to memory of 1592 1464 e579839.exe 75 PID 1464 wrote to memory of 1380 1464 e579839.exe 76 PID 1464 wrote to memory of 4600 1464 e579839.exe 81 PID 1464 wrote to memory of 3672 1464 e579839.exe 82 PID 1464 wrote to memory of 2796 1464 e579839.exe 85 PID 1464 wrote to memory of 2796 1464 e579839.exe 85 PID 4276 wrote to memory of 232 4276 rundll32.exe 86 PID 4276 wrote to memory of 232 4276 rundll32.exe 86 PID 4276 wrote to memory of 232 4276 rundll32.exe 86 PID 4276 wrote to memory of 4972 4276 rundll32.exe 87 PID 4276 wrote to memory of 4972 4276 rundll32.exe 87 PID 4276 wrote to memory of 4972 4276 rundll32.exe 87 PID 232 wrote to memory of 784 232 e57c890.exe 8 PID 232 wrote to memory of 792 232 e57c890.exe 9 PID 232 wrote to memory of 380 232 e57c890.exe 13 PID 232 wrote to memory of 2976 232 e57c890.exe 50 PID 232 wrote to memory of 3004 232 e57c890.exe 51 PID 232 wrote to memory of 664 232 e57c890.exe 53 PID 232 wrote to memory of 3452 232 e57c890.exe 56 PID 232 wrote to memory of 3552 232 e57c890.exe 57 PID 232 wrote to memory of 3744 232 e57c890.exe 58 PID 232 wrote to memory of 3836 232 e57c890.exe 59 PID 232 wrote to memory of 3900 232 e57c890.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579839.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c890.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3004
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:664
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7bf709be2da5b9b5057c2784310a81eef1ba5cf971b880d53e8745ed78d4ba6e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7bf709be2da5b9b5057c2784310a81eef1ba5cf971b880d53e8745ed78d4ba6e.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\e579839.exeC:\Users\Admin\AppData\Local\Temp\e579839.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\e579a0d.exeC:\Users\Admin\AppData\Local\Temp\e579a0d.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\e57c890.exeC:\Users\Admin\AppData\Local\Temp\e57c890.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:232
-
-
C:\Users\Admin\AppData\Local\Temp\e57c8af.exeC:\Users\Admin\AppData\Local\Temp\e57c8af.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1592
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1380
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD559ad41e5f852be61bc913fd2a2e9be06
SHA1f7b1d2515331157c6234baba1600f2d845fd89fa
SHA25652aa7161a8267830ebbaae1d52b5714f90db62a5000d944a4faa378f12dd7b82
SHA512481d5f011e481217e03af27fce7936dce561642a401dae29aafe3fd2443ca75f1f98e07813f9fd970b3ce7a2a7333796b40c0596954c42a520213919c37486f2
-
Filesize
257B
MD5791fa1754c15b7d7b34a6d6bb39bef4d
SHA1e33a3242ae0b75abb1124930cee4da4b5ca1a1c9
SHA25687030b72efb20830ef7233b92b9eef711a915cc8c05a41a7722c6ae9c30207a9
SHA512b3a960cda3b8aed5e243cb7ad8a9dd7d997e4dfb5b5dc611e9c73633f0680b84511abaf24327f20af5f061248a9b64b23244516bde196baf18904a0fd84b0910