Analysis
-
max time kernel
110s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll
Resource
win7-20240903-en
General
-
Target
27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll
-
Size
120KB
-
MD5
c980290cb64d969311c0660848a48570
-
SHA1
fb7ba2c165950b9c9c86dfac79417502ff64cacf
-
SHA256
27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9
-
SHA512
ec5e98ad029929fc9e4c7c906ac06736b89626dd65c4c41b42f9493426e8badd64a94ff6d72f7f0e25dcabb416e7d90cd602b0fa8c47dd42a360278f03b17ee8
-
SSDEEP
1536:xSw75ive6oA72hCNIgtr+AZdugMSsw83QlTJPwX54bWmFMHrRI/5HYQnBFLHnT1T:DNiW6vawv+WAgMkrK54bWmfNjB1pT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c851.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c851.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a4eb.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a4eb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c851.exe -
Executes dropped EXE 3 IoCs
pid Process 4396 e57a4eb.exe 1844 e57a8d3.exe 980 e57c851.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c851.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c851.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a4eb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c851.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57c851.exe File opened (read-only) \??\G: e57c851.exe File opened (read-only) \??\E: e57a4eb.exe File opened (read-only) \??\G: e57a4eb.exe File opened (read-only) \??\H: e57a4eb.exe File opened (read-only) \??\I: e57a4eb.exe File opened (read-only) \??\M: e57a4eb.exe File opened (read-only) \??\J: e57a4eb.exe File opened (read-only) \??\K: e57a4eb.exe File opened (read-only) \??\L: e57a4eb.exe File opened (read-only) \??\H: e57c851.exe File opened (read-only) \??\I: e57c851.exe -
resource yara_rule behavioral2/memory/4396-24-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-31-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-34-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-12-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-35-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-8-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-13-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-36-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-46-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-48-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-56-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-60-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-62-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-64-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-65-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-67-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-69-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-72-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4396-77-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/980-112-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/980-143-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a7c9 e57a4eb.exe File opened for modification C:\Windows\SYSTEM.INI e57a4eb.exe File created C:\Windows\e57f935 e57c851.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a4eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a8d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c851.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4396 e57a4eb.exe 4396 e57a4eb.exe 4396 e57a4eb.exe 4396 e57a4eb.exe 980 e57c851.exe 980 e57c851.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe Token: SeDebugPrivilege 4396 e57a4eb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 4160 2592 rundll32.exe 84 PID 2592 wrote to memory of 4160 2592 rundll32.exe 84 PID 2592 wrote to memory of 4160 2592 rundll32.exe 84 PID 4160 wrote to memory of 4396 4160 rundll32.exe 87 PID 4160 wrote to memory of 4396 4160 rundll32.exe 87 PID 4160 wrote to memory of 4396 4160 rundll32.exe 87 PID 4396 wrote to memory of 792 4396 e57a4eb.exe 8 PID 4396 wrote to memory of 800 4396 e57a4eb.exe 9 PID 4396 wrote to memory of 380 4396 e57a4eb.exe 13 PID 4396 wrote to memory of 2640 4396 e57a4eb.exe 44 PID 4396 wrote to memory of 2676 4396 e57a4eb.exe 46 PID 4396 wrote to memory of 2848 4396 e57a4eb.exe 49 PID 4396 wrote to memory of 3428 4396 e57a4eb.exe 55 PID 4396 wrote to memory of 3640 4396 e57a4eb.exe 57 PID 4396 wrote to memory of 3832 4396 e57a4eb.exe 58 PID 4396 wrote to memory of 3928 4396 e57a4eb.exe 59 PID 4396 wrote to memory of 3992 4396 e57a4eb.exe 60 PID 4396 wrote to memory of 4080 4396 e57a4eb.exe 61 PID 4396 wrote to memory of 3576 4396 e57a4eb.exe 62 PID 4396 wrote to memory of 4548 4396 e57a4eb.exe 75 PID 4396 wrote to memory of 3604 4396 e57a4eb.exe 76 PID 4396 wrote to memory of 3148 4396 e57a4eb.exe 81 PID 4396 wrote to memory of 2992 4396 e57a4eb.exe 82 PID 4396 wrote to memory of 2592 4396 e57a4eb.exe 83 PID 4396 wrote to memory of 4160 4396 e57a4eb.exe 84 PID 4396 wrote to memory of 4160 4396 e57a4eb.exe 84 PID 4396 wrote to memory of 3684 4396 e57a4eb.exe 86 PID 4160 wrote to memory of 1844 4160 rundll32.exe 88 PID 4160 wrote to memory of 1844 4160 rundll32.exe 88 PID 4160 wrote to memory of 1844 4160 rundll32.exe 88 PID 4160 wrote to memory of 980 4160 rundll32.exe 90 PID 4160 wrote to memory of 980 4160 rundll32.exe 90 PID 4160 wrote to memory of 980 4160 rundll32.exe 90 PID 4396 wrote to memory of 792 4396 e57a4eb.exe 8 PID 4396 wrote to memory of 800 4396 e57a4eb.exe 9 PID 4396 wrote to memory of 380 4396 e57a4eb.exe 13 PID 4396 wrote to memory of 2640 4396 e57a4eb.exe 44 PID 4396 wrote to memory of 2676 4396 e57a4eb.exe 46 PID 4396 wrote to memory of 2848 4396 e57a4eb.exe 49 PID 4396 wrote to memory of 3428 4396 e57a4eb.exe 55 PID 4396 wrote to memory of 3640 4396 e57a4eb.exe 57 PID 4396 wrote to memory of 3832 4396 e57a4eb.exe 58 PID 4396 wrote to memory of 3928 4396 e57a4eb.exe 59 PID 4396 wrote to memory of 3992 4396 e57a4eb.exe 60 PID 4396 wrote to memory of 4080 4396 e57a4eb.exe 61 PID 4396 wrote to memory of 3576 4396 e57a4eb.exe 62 PID 4396 wrote to memory of 4548 4396 e57a4eb.exe 75 PID 4396 wrote to memory of 3604 4396 e57a4eb.exe 76 PID 4396 wrote to memory of 3148 4396 e57a4eb.exe 81 PID 4396 wrote to memory of 2992 4396 e57a4eb.exe 82 PID 4396 wrote to memory of 3684 4396 e57a4eb.exe 86 PID 4396 wrote to memory of 1844 4396 e57a4eb.exe 88 PID 4396 wrote to memory of 1844 4396 e57a4eb.exe 88 PID 4396 wrote to memory of 1036 4396 e57a4eb.exe 89 PID 4396 wrote to memory of 980 4396 e57a4eb.exe 90 PID 4396 wrote to memory of 980 4396 e57a4eb.exe 90 PID 980 wrote to memory of 792 980 e57c851.exe 8 PID 980 wrote to memory of 800 980 e57c851.exe 9 PID 980 wrote to memory of 380 980 e57c851.exe 13 PID 980 wrote to memory of 2640 980 e57c851.exe 44 PID 980 wrote to memory of 2676 980 e57c851.exe 46 PID 980 wrote to memory of 2848 980 e57c851.exe 49 PID 980 wrote to memory of 3428 980 e57c851.exe 55 PID 980 wrote to memory of 3640 980 e57c851.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a4eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c851.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2676
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\e57a4eb.exeC:\Users\Admin\AppData\Local\Temp\e57a4eb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\e57a8d3.exeC:\Users\Admin\AppData\Local\Temp\e57a8d3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\e57c851.exeC:\Users\Admin\AppData\Local\Temp\e57c851.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:980
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3576
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4548
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3604
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3148
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3684
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD583159e3fc5788b3155febdb35f297757
SHA14d6f1281f01ba684c8689798a5f9f715be96fb5e
SHA2569633b65b72cda175b870d0e5ae6b56ce0b614e66a79a1a6222eb2619f65f128c
SHA5120699ab629aab53d13725ab4188fe74c4ee60a31df0e71945e092875da936643c01bc543a442ec5e4a61cf6f80bc687b7586375406b30c7c8dbe46278fd3fb45e
-
Filesize
257B
MD554503d8291d8e54cc1f18bff07349bce
SHA1b7a7c37babd90488f6e191602ff216ddc0811705
SHA256a08ae85871cb3b10717677cd9839b48dff3727e2566e78ac7846a22422956a56
SHA512055c0aa54b5f7959e7949fa5693441d481cae23b9f3d73ca7fc81a6871a00ea86b32616e2245dffd6f496c7e6f2a3254f4421696ee89a0c2d26c637dff1a2846