Analysis
-
max time kernel
122s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2024, 21:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe
Resource
win7-20231215-en
windows7-x64
17 signatures
150 seconds
General
-
Target
73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe
-
Size
3.0MB
-
MD5
a4d8ae019f013517c7557012dba59dc6
-
SHA1
43b595ed13b1fe31dcd57f65689d7d89db524953
-
SHA256
73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232
-
SHA512
ec470ed69989f656d967bd5b025dc7fb59cc0381b238568a63f844a1c114e9448727431317dfb6a4170bea2ff54faea95d9d15e296ff02f8486f50767c00d945
-
SSDEEP
49152:RBwpxPJg7JW4jhzQpxSlDvZajSiOWJ40PCLdt5bqUl33kwpPN:RBwpxhg7JW4NkpqiOWJ4PLdTqUxV
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1744-2-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-4-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-12-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-14-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-18-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-24-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-25-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-26-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-27-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-28-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-29-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-30-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-31-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-32-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-33-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-35-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-36-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-37-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-39-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-42-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-44-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-46-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-49-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-51-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-53-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-59-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-60-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-62-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-64-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-66-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-68-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-69-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-70-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-72-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-75-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-77-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-79-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-81-0x00000000025F0000-0x00000000036AA000-memory.dmp upx behavioral2/memory/1744-83-0x00000000025F0000-0x00000000036AA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\I: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\M: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\R: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\T: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\X: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\E: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\G: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\P: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\S: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\V: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\Y: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\K: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\L: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\N: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\U: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\W: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\Z: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\J: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\O: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\Q: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\autorun.inf 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\7z.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5768eb 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Windows\SYSTEM.INI 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 808 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 80 PID 1744 wrote to memory of 816 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 79 PID 1744 wrote to memory of 336 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 6 PID 1744 wrote to memory of 2468 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 51 PID 1744 wrote to memory of 2484 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 50 PID 1744 wrote to memory of 2612 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 47 PID 1744 wrote to memory of 3356 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 39 PID 1744 wrote to memory of 3568 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 37 PID 1744 wrote to memory of 3784 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 36 PID 1744 wrote to memory of 3880 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 35 PID 1744 wrote to memory of 3984 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 12 PID 1744 wrote to memory of 4072 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 34 PID 1744 wrote to memory of 4184 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 33 PID 1744 wrote to memory of 4948 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 21 PID 1744 wrote to memory of 3556 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 20 PID 1744 wrote to memory of 808 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 80 PID 1744 wrote to memory of 816 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 79 PID 1744 wrote to memory of 336 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 6 PID 1744 wrote to memory of 2468 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 51 PID 1744 wrote to memory of 2484 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 50 PID 1744 wrote to memory of 2612 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 47 PID 1744 wrote to memory of 3356 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 39 PID 1744 wrote to memory of 3568 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 37 PID 1744 wrote to memory of 3784 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 36 PID 1744 wrote to memory of 3880 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 35 PID 1744 wrote to memory of 3984 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 12 PID 1744 wrote to memory of 4072 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 34 PID 1744 wrote to memory of 4184 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 33 PID 1744 wrote to memory of 4948 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 21 PID 1744 wrote to memory of 3556 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 20 PID 1744 wrote to memory of 808 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 80 PID 1744 wrote to memory of 816 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 79 PID 1744 wrote to memory of 336 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 6 PID 1744 wrote to memory of 2468 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 51 PID 1744 wrote to memory of 2484 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 50 PID 1744 wrote to memory of 2612 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 47 PID 1744 wrote to memory of 3356 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 39 PID 1744 wrote to memory of 3568 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 37 PID 1744 wrote to memory of 3784 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 36 PID 1744 wrote to memory of 3880 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 35 PID 1744 wrote to memory of 3984 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 12 PID 1744 wrote to memory of 4072 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 34 PID 1744 wrote to memory of 4184 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 33 PID 1744 wrote to memory of 4948 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 21 PID 1744 wrote to memory of 3556 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 20 PID 1744 wrote to memory of 808 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 80 PID 1744 wrote to memory of 816 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 79 PID 1744 wrote to memory of 336 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 6 PID 1744 wrote to memory of 2468 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 51 PID 1744 wrote to memory of 2484 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 50 PID 1744 wrote to memory of 2612 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 47 PID 1744 wrote to memory of 3356 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 39 PID 1744 wrote to memory of 3568 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 37 PID 1744 wrote to memory of 3784 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 36 PID 1744 wrote to memory of 3880 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 35 PID 1744 wrote to memory of 3984 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 12 PID 1744 wrote to memory of 4072 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 34 PID 1744 wrote to memory of 4184 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 33 PID 1744 wrote to memory of 4948 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 21 PID 1744 wrote to memory of 3556 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 20 PID 1744 wrote to memory of 808 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 80 PID 1744 wrote to memory of 816 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 79 PID 1744 wrote to memory of 336 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 6 PID 1744 wrote to memory of 2468 1744 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 51 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3556
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe"C:\Users\Admin\AppData\Local\Temp\73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1744
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4184
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4072
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3880
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3356
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2484
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2468
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186B
MD52e3de2fbdda5f9c6fb1cb9ad979fa705
SHA1f6217c1f8bb9b781084080964008bc93cde4f38a
SHA2564061506aa6b8964bbec32ad56a28195406ef195992c8d803e5c566f148ab7a15
SHA512f0129b17e1ee25eadf893046b341be6fb4700954e525853f9ee24b55f40f239064aa5ba0c3a26c9c18ab9772fe38c7da3efe4dd2874caf0a7298e511d1e20c97
-
Filesize
159B
MD55289160c2a9057ca6f3c1f10dd2d145c
SHA11f5cdc1848caf557f3691a15994b4c6b17eca466
SHA256a0b848a4f79c5a26b158cbb2171b88a435959509a3b09dfa674b3f703fa9011f
SHA5122570b2efe97b12e02d6d064df653da0addbca508d11d0fd9b0f31d8890f7524c45cbd95465720869e895acf268332ce0750906ed9a6f7a8db5525d7bfe09f5ce