Analysis
-
max time kernel
32s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2025 13:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6717725dc4a26b5a822c25a52dcc238dcf8ff2ea84139a365116572b84fb6a4fN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
6717725dc4a26b5a822c25a52dcc238dcf8ff2ea84139a365116572b84fb6a4fN.dll
-
Size
120KB
-
MD5
a54829696ae4927232d966f31ce47860
-
SHA1
b152277b24be0e8fba6ac44546071e484cdc0092
-
SHA256
6717725dc4a26b5a822c25a52dcc238dcf8ff2ea84139a365116572b84fb6a4f
-
SHA512
7438aac9fbd158d6421026ecf626d5047578ea8329b0fc4f45bc7ef183be693084c21df633445d3d1d6998a9c3a1a9a4bb28fefdfab4c0b79be083191d11e907
-
SSDEEP
1536:p3svEzuYfaX3/BAd4rXdHd9NOEbM8CB/p4X5DkHJhrAj5HGsXxd1lPxxR4X5jKbH:46inhXlzNOJpyX54HTG5ms1lPxx6It
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57951c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57951c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c469.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c469.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c469.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c469.exe -
Executes dropped EXE 3 IoCs
pid Process 1912 e57951c.exe 5104 e579700.exe 4092 e57c469.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57951c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c469.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c469.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c469.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e57951c.exe File opened (read-only) \??\L: e57951c.exe File opened (read-only) \??\M: e57951c.exe File opened (read-only) \??\E: e57c469.exe File opened (read-only) \??\H: e57c469.exe File opened (read-only) \??\E: e57951c.exe File opened (read-only) \??\G: e57951c.exe File opened (read-only) \??\H: e57951c.exe File opened (read-only) \??\I: e57c469.exe File opened (read-only) \??\J: e57c469.exe File opened (read-only) \??\I: e57951c.exe File opened (read-only) \??\J: e57951c.exe File opened (read-only) \??\G: e57c469.exe -
resource yara_rule behavioral2/memory/1912-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-26-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-24-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-14-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-13-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-35-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-25-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-45-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-55-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-56-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-57-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-59-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-61-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-63-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-65-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1912-70-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4092-110-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4092-145-0x0000000000760000-0x000000000181A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57ebe6 e57c469.exe File created C:\Windows\e5795a8 e57951c.exe File opened for modification C:\Windows\SYSTEM.INI e57951c.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57951c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c469.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1912 e57951c.exe 1912 e57951c.exe 1912 e57951c.exe 1912 e57951c.exe 4092 e57c469.exe 4092 e57c469.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe Token: SeDebugPrivilege 1912 e57951c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 4148 1244 rundll32.exe 83 PID 1244 wrote to memory of 4148 1244 rundll32.exe 83 PID 1244 wrote to memory of 4148 1244 rundll32.exe 83 PID 4148 wrote to memory of 1912 4148 rundll32.exe 84 PID 4148 wrote to memory of 1912 4148 rundll32.exe 84 PID 4148 wrote to memory of 1912 4148 rundll32.exe 84 PID 1912 wrote to memory of 780 1912 e57951c.exe 8 PID 1912 wrote to memory of 784 1912 e57951c.exe 9 PID 1912 wrote to memory of 1020 1912 e57951c.exe 13 PID 1912 wrote to memory of 2800 1912 e57951c.exe 49 PID 1912 wrote to memory of 2844 1912 e57951c.exe 50 PID 1912 wrote to memory of 408 1912 e57951c.exe 53 PID 1912 wrote to memory of 3444 1912 e57951c.exe 56 PID 1912 wrote to memory of 3564 1912 e57951c.exe 57 PID 1912 wrote to memory of 3748 1912 e57951c.exe 58 PID 1912 wrote to memory of 3844 1912 e57951c.exe 59 PID 1912 wrote to memory of 3908 1912 e57951c.exe 60 PID 1912 wrote to memory of 3992 1912 e57951c.exe 61 PID 1912 wrote to memory of 4100 1912 e57951c.exe 62 PID 1912 wrote to memory of 3932 1912 e57951c.exe 74 PID 1912 wrote to memory of 3404 1912 e57951c.exe 76 PID 1912 wrote to memory of 2752 1912 e57951c.exe 80 PID 1912 wrote to memory of 1176 1912 e57951c.exe 81 PID 1912 wrote to memory of 1244 1912 e57951c.exe 82 PID 1912 wrote to memory of 4148 1912 e57951c.exe 83 PID 1912 wrote to memory of 4148 1912 e57951c.exe 83 PID 4148 wrote to memory of 5104 4148 rundll32.exe 85 PID 4148 wrote to memory of 5104 4148 rundll32.exe 85 PID 4148 wrote to memory of 5104 4148 rundll32.exe 85 PID 1912 wrote to memory of 780 1912 e57951c.exe 8 PID 1912 wrote to memory of 784 1912 e57951c.exe 9 PID 1912 wrote to memory of 1020 1912 e57951c.exe 13 PID 1912 wrote to memory of 2800 1912 e57951c.exe 49 PID 1912 wrote to memory of 2844 1912 e57951c.exe 50 PID 1912 wrote to memory of 408 1912 e57951c.exe 53 PID 1912 wrote to memory of 3444 1912 e57951c.exe 56 PID 1912 wrote to memory of 3564 1912 e57951c.exe 57 PID 1912 wrote to memory of 3748 1912 e57951c.exe 58 PID 1912 wrote to memory of 3844 1912 e57951c.exe 59 PID 1912 wrote to memory of 3908 1912 e57951c.exe 60 PID 1912 wrote to memory of 3992 1912 e57951c.exe 61 PID 1912 wrote to memory of 4100 1912 e57951c.exe 62 PID 1912 wrote to memory of 3932 1912 e57951c.exe 74 PID 1912 wrote to memory of 3404 1912 e57951c.exe 76 PID 1912 wrote to memory of 2752 1912 e57951c.exe 80 PID 1912 wrote to memory of 1176 1912 e57951c.exe 81 PID 1912 wrote to memory of 1244 1912 e57951c.exe 82 PID 1912 wrote to memory of 5104 1912 e57951c.exe 85 PID 1912 wrote to memory of 5104 1912 e57951c.exe 85 PID 4148 wrote to memory of 4092 4148 rundll32.exe 89 PID 4148 wrote to memory of 4092 4148 rundll32.exe 89 PID 4148 wrote to memory of 4092 4148 rundll32.exe 89 PID 4092 wrote to memory of 780 4092 e57c469.exe 8 PID 4092 wrote to memory of 784 4092 e57c469.exe 9 PID 4092 wrote to memory of 1020 4092 e57c469.exe 13 PID 4092 wrote to memory of 2800 4092 e57c469.exe 49 PID 4092 wrote to memory of 2844 4092 e57c469.exe 50 PID 4092 wrote to memory of 408 4092 e57c469.exe 53 PID 4092 wrote to memory of 3444 4092 e57c469.exe 56 PID 4092 wrote to memory of 3564 4092 e57c469.exe 57 PID 4092 wrote to memory of 3748 4092 e57c469.exe 58 PID 4092 wrote to memory of 3844 4092 e57c469.exe 59 PID 4092 wrote to memory of 3908 4092 e57c469.exe 60 PID 4092 wrote to memory of 3992 4092 e57c469.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57951c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c469.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2844
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:408
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6717725dc4a26b5a822c25a52dcc238dcf8ff2ea84139a365116572b84fb6a4fN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6717725dc4a26b5a822c25a52dcc238dcf8ff2ea84139a365116572b84fb6a4fN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\e57951c.exeC:\Users\Admin\AppData\Local\Temp\e57951c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\e579700.exeC:\Users\Admin\AppData\Local\Temp\e579700.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\e57c469.exeC:\Users\Admin\AppData\Local\Temp\e57c469.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4092
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2752
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d1acac98f2919508273d47b347b2bf7c
SHA191d525c2a80f12b97e71cf92453e2feec15d1d45
SHA256796ebf1194cdb9f6a683cf9562ebe67b410d598f540b225a8770568bfe2d65d3
SHA512979728128504f1671949dd477de4382d153e312fa1b0deccd33fb24074cf935324e19e543596aa3241332194048460d8dec3612da04d551a2994d4a00e419045
-
Filesize
256B
MD5b34db68506254573ead8bf37e5cd72b8
SHA16b39f74e56b967c23965f24ae96442cf8b771264
SHA25674a72540b51917868da09570dd86d80150d23d4e463a72758b85a076f864cfef
SHA512675b58ef5b908fa325fcf56d18434f27948da3aaa1aaf71cd473d94554ba88788b579570cb3f1d6bf0709cbd272ed1d62404cbe28b2a38ae86c9174c922a8acc