Analysis
-
max time kernel
30s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 10:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98945dcbfb967d06c0cb3d47cd25dac0N.dll
Resource
win7-20240704-en
windows7-x64
15 signatures
120 seconds
General
-
Target
98945dcbfb967d06c0cb3d47cd25dac0N.dll
-
Size
120KB
-
MD5
98945dcbfb967d06c0cb3d47cd25dac0
-
SHA1
ba6a2e6c89b2788a80ffae2683ac08143b1b447a
-
SHA256
04fe527b33e238b7a4e7887cc70586ee799614a2d236290452c03af03147467d
-
SHA512
cebefe198556a1a913d6f89bb1e5a749613eddc7330311308899d0a9dc3eac28660fc373581e9970e174531b7e9fadc519aeb7bfd656872a42277846dca83d3d
-
SSDEEP
3072:ifnjDu+nx6cLkh0xOXCpH7lVQ/qvObL35qC0inYfjV7:SuqLkhEOXgH7l6/BbL3oinEj
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d5ce.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d5ce.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d5ce.exe -
Executes dropped EXE 4 IoCs
pid Process 5056 e57ad86.exe 4472 e57aefd.exe 4340 e57d59f.exe 5020 e57d5ce.exe -
resource yara_rule behavioral2/memory/5056-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-8-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-22-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-24-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-30-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-32-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-15-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-10-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-9-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-33-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-34-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-35-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-36-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-38-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-37-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-40-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-41-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-67-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-69-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-70-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-72-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-73-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-76-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-78-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-80-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-81-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-82-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5056-91-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5020-119-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/5020-161-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d5ce.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ad86.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d5ce.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d5ce.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57ad86.exe File opened (read-only) \??\K: e57ad86.exe File opened (read-only) \??\P: e57ad86.exe File opened (read-only) \??\E: e57d5ce.exe File opened (read-only) \??\E: e57ad86.exe File opened (read-only) \??\M: e57ad86.exe File opened (read-only) \??\N: e57ad86.exe File opened (read-only) \??\I: e57d5ce.exe File opened (read-only) \??\H: e57ad86.exe File opened (read-only) \??\L: e57ad86.exe File opened (read-only) \??\O: e57ad86.exe File opened (read-only) \??\H: e57d5ce.exe File opened (read-only) \??\G: e57ad86.exe File opened (read-only) \??\J: e57ad86.exe File opened (read-only) \??\G: e57d5ce.exe File opened (read-only) \??\J: e57d5ce.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57ad86.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ad86.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ad86.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57ae22 e57ad86.exe File opened for modification C:\Windows\SYSTEM.INI e57ad86.exe File created C:\Windows\e57ff11 e57d5ce.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5056 e57ad86.exe 5056 e57ad86.exe 5056 e57ad86.exe 5056 e57ad86.exe 5020 e57d5ce.exe 5020 e57d5ce.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe Token: SeDebugPrivilege 5056 e57ad86.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 5024 2300 rundll32.exe 84 PID 2300 wrote to memory of 5024 2300 rundll32.exe 84 PID 2300 wrote to memory of 5024 2300 rundll32.exe 84 PID 5024 wrote to memory of 5056 5024 rundll32.exe 85 PID 5024 wrote to memory of 5056 5024 rundll32.exe 85 PID 5024 wrote to memory of 5056 5024 rundll32.exe 85 PID 5056 wrote to memory of 768 5056 e57ad86.exe 8 PID 5056 wrote to memory of 776 5056 e57ad86.exe 9 PID 5056 wrote to memory of 316 5056 e57ad86.exe 13 PID 5056 wrote to memory of 2972 5056 e57ad86.exe 50 PID 5056 wrote to memory of 3016 5056 e57ad86.exe 51 PID 5056 wrote to memory of 3104 5056 e57ad86.exe 52 PID 5056 wrote to memory of 3620 5056 e57ad86.exe 56 PID 5056 wrote to memory of 3760 5056 e57ad86.exe 57 PID 5056 wrote to memory of 3948 5056 e57ad86.exe 58 PID 5056 wrote to memory of 4040 5056 e57ad86.exe 59 PID 5056 wrote to memory of 2696 5056 e57ad86.exe 60 PID 5056 wrote to memory of 2692 5056 e57ad86.exe 61 PID 5056 wrote to memory of 4232 5056 e57ad86.exe 62 PID 5056 wrote to memory of 4264 5056 e57ad86.exe 75 PID 5056 wrote to memory of 2176 5056 e57ad86.exe 76 PID 5056 wrote to memory of 2408 5056 e57ad86.exe 81 PID 5056 wrote to memory of 3012 5056 e57ad86.exe 82 PID 5056 wrote to memory of 2300 5056 e57ad86.exe 83 PID 5056 wrote to memory of 5024 5056 e57ad86.exe 84 PID 5056 wrote to memory of 5024 5056 e57ad86.exe 84 PID 5024 wrote to memory of 4472 5024 rundll32.exe 86 PID 5024 wrote to memory of 4472 5024 rundll32.exe 86 PID 5024 wrote to memory of 4472 5024 rundll32.exe 86 PID 5024 wrote to memory of 4340 5024 rundll32.exe 94 PID 5024 wrote to memory of 4340 5024 rundll32.exe 94 PID 5024 wrote to memory of 4340 5024 rundll32.exe 94 PID 5024 wrote to memory of 5020 5024 rundll32.exe 95 PID 5024 wrote to memory of 5020 5024 rundll32.exe 95 PID 5024 wrote to memory of 5020 5024 rundll32.exe 95 PID 5056 wrote to memory of 768 5056 e57ad86.exe 8 PID 5056 wrote to memory of 776 5056 e57ad86.exe 9 PID 5056 wrote to memory of 316 5056 e57ad86.exe 13 PID 5056 wrote to memory of 2972 5056 e57ad86.exe 50 PID 5056 wrote to memory of 3016 5056 e57ad86.exe 51 PID 5056 wrote to memory of 3104 5056 e57ad86.exe 52 PID 5056 wrote to memory of 3620 5056 e57ad86.exe 56 PID 5056 wrote to memory of 3760 5056 e57ad86.exe 57 PID 5056 wrote to memory of 3948 5056 e57ad86.exe 58 PID 5056 wrote to memory of 4040 5056 e57ad86.exe 59 PID 5056 wrote to memory of 2696 5056 e57ad86.exe 60 PID 5056 wrote to memory of 2692 5056 e57ad86.exe 61 PID 5056 wrote to memory of 4232 5056 e57ad86.exe 62 PID 5056 wrote to memory of 4264 5056 e57ad86.exe 75 PID 5056 wrote to memory of 2176 5056 e57ad86.exe 76 PID 5056 wrote to memory of 2408 5056 e57ad86.exe 81 PID 5056 wrote to memory of 3012 5056 e57ad86.exe 82 PID 5056 wrote to memory of 4472 5056 e57ad86.exe 86 PID 5056 wrote to memory of 4472 5056 e57ad86.exe 86 PID 5056 wrote to memory of 3240 5056 e57ad86.exe 88 PID 5056 wrote to memory of 4512 5056 e57ad86.exe 89 PID 5056 wrote to memory of 4340 5056 e57ad86.exe 94 PID 5056 wrote to memory of 4340 5056 e57ad86.exe 94 PID 5056 wrote to memory of 5020 5056 e57ad86.exe 95 PID 5056 wrote to memory of 5020 5056 e57ad86.exe 95 PID 5020 wrote to memory of 768 5020 e57d5ce.exe 8 PID 5020 wrote to memory of 776 5020 e57d5ce.exe 9 PID 5020 wrote to memory of 316 5020 e57d5ce.exe 13 PID 5020 wrote to memory of 2972 5020 e57d5ce.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ad86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d5ce.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3016
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3620
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\98945dcbfb967d06c0cb3d47cd25dac0N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\98945dcbfb967d06c0cb3d47cd25dac0N.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\e57ad86.exeC:\Users\Admin\AppData\Local\Temp\e57ad86.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\e57aefd.exeC:\Users\Admin\AppData\Local\Temp\e57aefd.exe4⤵
- Executes dropped EXE
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\e57d59f.exeC:\Users\Admin\AppData\Local\Temp\e57d59f.exe4⤵
- Executes dropped EXE
PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\e57d5ce.exeC:\Users\Admin\AppData\Local\Temp\e57d5ce.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5020
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3760
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2696
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2692
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4232
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4264
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2176
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2408
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3240
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4512
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f9bed6724377ffa31e5de2303329d4f0
SHA1bf57eca8e0d5632c0e4267666480c06db2bff8df
SHA256b92641cef92248150299f1ee23dcdd5ca4a02728dde526a2736d07abb9c5eefd
SHA51272115cc7f7b375bf8620fc042c894b4b745dbcdc6887e86018509049dc243275aeb5fc59dfbbccfe8b4567a40367af7a565da5e1bab85a14714698b4837dba9c
-
Filesize
257B
MD5d892a4eedcc4c0111bc6ba49f1806134
SHA129364117be1555b6f83a287cc3cc10389b335ae9
SHA256c2a9185eba872ecd3c6942397d33fbab5c1343392623eece5a8632afe550a235
SHA51298fdfb5c14590c07b64183fce2f6deb3ed9427ffe8bd8a7b8455fb5d5676eb1541c4b823deae7917dcec3dea3890b37c8d428ce62654e25e6c88300d50caf572