sality | ded9acd7c3071f3477179b0729961d0975de0b81d98bf59b35da0ce75c48c584

Modify Existing Service

T1031

Processes:

e56dbed.exee56f523.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e56dbed.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

e56f523.exee56dbed.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56dbed.exe

Windows security bypass 2 TTPs 12 IoCs

Disabling Security Tools

Modify Registry

Processes:

e56f523.exee56dbed.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e56dbed.exe

Executes dropped EXE 4 IoCs

Processes:

e56dbed.exee56dfa7.exee56f523.exee56f551.exe

pid process

4880 e56dbed.exe
1608 e56dfa7.exe
1436 e56f523.exe
4272 e56f551.exe

pid	process
4880	e56dbed.exe
1608	e56dfa7.exe
1436	e56f523.exe
4272	e56f551.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4880-134-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/4880-140-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/4880-150-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/4880-151-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/1436-154-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/1436-157-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

Processes:

e56f523.exee56dbed.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e56f523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e56f523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e56dbed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e56dbed.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

e56dbed.exee56f523.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56f523.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e56dbed.exe

description	ioc	process
File opened (read-only)	\??\Q:	e56dbed.exe
File opened (read-only)	\??\E:	e56dbed.exe
File opened (read-only)	\??\G:	e56dbed.exe
File opened (read-only)	\??\J:	e56dbed.exe
File opened (read-only)	\??\K:	e56dbed.exe
File opened (read-only)	\??\M:	e56dbed.exe
File opened (read-only)	\??\P:	e56dbed.exe
File opened (read-only)	\??\R:	e56dbed.exe
File opened (read-only)	\??\S:	e56dbed.exe
File opened (read-only)	\??\N:	e56dbed.exe
File opened (read-only)	\??\O:	e56dbed.exe
File opened (read-only)	\??\F:	e56dbed.exe
File opened (read-only)	\??\H:	e56dbed.exe
File opened (read-only)	\??\I:	e56dbed.exe
File opened (read-only)	\??\L:	e56dbed.exe

Drops file in Program Files directory 3 IoCs

Processes:

e56dbed.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e56dbed.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e56dbed.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e56dbed.exe

Drops file in Windows directory 3 IoCs

Processes:

e56dbed.exee56f523.exe

description	ioc	process
File created	C:\Windows\e56dedb	e56dbed.exe
File opened for modification	C:\Windows\SYSTEM.INI	e56dbed.exe
File created	C:\Windows\e5733e1	e56f523.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e56dbed.exee56f523.exe

pid process

4880 e56dbed.exe
4880 e56dbed.exe
4880 e56dbed.exe
4880 e56dbed.exe
1436 e56f523.exe
1436 e56f523.exe

pid	process
4880	e56dbed.exe
4880	e56dbed.exe
4880	e56dbed.exe
4880	e56dbed.exe
1436	e56f523.exe
1436	e56f523.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e56dbed.exe

description	pid	process
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe
Token: SeDebugPrivilege	4880	e56dbed.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee56dbed.exee56f523.exe

description	pid	process	target process
PID 4508 wrote to memory of 4176	4508	rundll32.exe	rundll32.exe
PID 4508 wrote to memory of 4176	4508	rundll32.exe	rundll32.exe
PID 4508 wrote to memory of 4176	4508	rundll32.exe	rundll32.exe
PID 4176 wrote to memory of 4880	4176	rundll32.exe	e56dbed.exe
PID 4176 wrote to memory of 4880	4176	rundll32.exe	e56dbed.exe
PID 4176 wrote to memory of 4880	4176	rundll32.exe	e56dbed.exe
PID 4880 wrote to memory of 788	4880	e56dbed.exe	fontdrvhost.exe
PID 4880 wrote to memory of 796	4880	e56dbed.exe	fontdrvhost.exe
PID 4880 wrote to memory of 384	4880	e56dbed.exe	dwm.exe
PID 4880 wrote to memory of 2324	4880	e56dbed.exe	sihost.exe
PID 4880 wrote to memory of 2344	4880	e56dbed.exe	svchost.exe
PID 4880 wrote to memory of 2416	4880	e56dbed.exe	taskhostw.exe
PID 4880 wrote to memory of 3036	4880	e56dbed.exe	Explorer.EXE
PID 4880 wrote to memory of 3164	4880	e56dbed.exe	svchost.exe
PID 4880 wrote to memory of 3360	4880	e56dbed.exe	DllHost.exe
PID 4880 wrote to memory of 3452	4880	e56dbed.exe	StartMenuExperienceHost.exe
PID 4880 wrote to memory of 3516	4880	e56dbed.exe	RuntimeBroker.exe
PID 4880 wrote to memory of 3612	4880	e56dbed.exe	SearchApp.exe
PID 4880 wrote to memory of 3928	4880	e56dbed.exe	RuntimeBroker.exe
PID 4880 wrote to memory of 4484	4880	e56dbed.exe	RuntimeBroker.exe
PID 4880 wrote to memory of 4508	4880	e56dbed.exe	rundll32.exe
PID 4880 wrote to memory of 4176	4880	e56dbed.exe	rundll32.exe
PID 4880 wrote to memory of 4176	4880	e56dbed.exe	rundll32.exe
PID 4176 wrote to memory of 1608	4176	rundll32.exe	e56dfa7.exe
PID 4176 wrote to memory of 1608	4176	rundll32.exe	e56dfa7.exe
PID 4176 wrote to memory of 1608	4176	rundll32.exe	e56dfa7.exe
PID 4176 wrote to memory of 1436	4176	rundll32.exe	e56f523.exe
PID 4176 wrote to memory of 1436	4176	rundll32.exe	e56f523.exe
PID 4176 wrote to memory of 1436	4176	rundll32.exe	e56f523.exe
PID 4176 wrote to memory of 4272	4176	rundll32.exe	e56f551.exe
PID 4176 wrote to memory of 4272	4176	rundll32.exe	e56f551.exe
PID 4176 wrote to memory of 4272	4176	rundll32.exe	e56f551.exe
PID 4880 wrote to memory of 788	4880	e56dbed.exe	fontdrvhost.exe
PID 4880 wrote to memory of 796	4880	e56dbed.exe	fontdrvhost.exe
PID 4880 wrote to memory of 384	4880	e56dbed.exe	dwm.exe
PID 4880 wrote to memory of 2324	4880	e56dbed.exe	sihost.exe
PID 4880 wrote to memory of 2344	4880	e56dbed.exe	svchost.exe
PID 4880 wrote to memory of 2416	4880	e56dbed.exe	taskhostw.exe
PID 4880 wrote to memory of 3036	4880	e56dbed.exe	Explorer.EXE
PID 4880 wrote to memory of 3164	4880	e56dbed.exe	svchost.exe
PID 4880 wrote to memory of 3360	4880	e56dbed.exe	DllHost.exe
PID 4880 wrote to memory of 3452	4880	e56dbed.exe	StartMenuExperienceHost.exe
PID 4880 wrote to memory of 3516	4880	e56dbed.exe	RuntimeBroker.exe
PID 4880 wrote to memory of 3612	4880	e56dbed.exe	SearchApp.exe
PID 4880 wrote to memory of 3928	4880	e56dbed.exe	RuntimeBroker.exe
PID 4880 wrote to memory of 4484	4880	e56dbed.exe	RuntimeBroker.exe
PID 4880 wrote to memory of 1608	4880	e56dbed.exe	e56dfa7.exe
PID 4880 wrote to memory of 1608	4880	e56dbed.exe	e56dfa7.exe
PID 4880 wrote to memory of 1436	4880	e56dbed.exe	e56f523.exe
PID 4880 wrote to memory of 1436	4880	e56dbed.exe	e56f523.exe
PID 4880 wrote to memory of 4272	4880	e56dbed.exe	e56f551.exe
PID 4880 wrote to memory of 4272	4880	e56dbed.exe	e56f551.exe
PID 1436 wrote to memory of 788	1436	e56f523.exe	fontdrvhost.exe
PID 1436 wrote to memory of 796	1436	e56f523.exe	fontdrvhost.exe
PID 1436 wrote to memory of 384	1436	e56f523.exe	dwm.exe
PID 1436 wrote to memory of 2324	1436	e56f523.exe	sihost.exe
PID 1436 wrote to memory of 2344	1436	e56f523.exe	svchost.exe
PID 1436 wrote to memory of 2416	1436	e56f523.exe	taskhostw.exe
PID 1436 wrote to memory of 3036	1436	e56f523.exe	Explorer.EXE
PID 1436 wrote to memory of 3164	1436	e56f523.exe	svchost.exe
PID 1436 wrote to memory of 3360	1436	e56f523.exe	DllHost.exe
PID 1436 wrote to memory of 3452	1436	e56f523.exe	StartMenuExperienceHost.exe
PID 1436 wrote to memory of 3516	1436	e56f523.exe	RuntimeBroker.exe
PID 1436 wrote to memory of 3612	1436	e56f523.exe	SearchApp.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

e56dbed.exee56f523.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56dbed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56f523.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2344

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2324

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3036

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\e56dbed.exe
C:\Users\Admin\AppData\Local\Temp\e56dbed.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4880

C:\Users\Admin\AppData\Local\Temp\e56dfa7.exe
C:\Users\Admin\AppData\Local\Temp\e56dfa7.exe
4⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\e56f523.exe
C:\Users\Admin\AppData\Local\Temp\e56f523.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1436

C:\Users\Admin\AppData\Local\Temp\e56f551.exe
C:\Users\Admin\AppData\Local\Temp\e56f551.exe
4⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3612

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

Bypass User Account Control

T1088

Disabling Security Tools