Analysis
-
max time kernel
92s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll
Resource
win7-20240903-en
General
-
Target
4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll
-
Size
120KB
-
MD5
569dbc3e62f64310d59e8feb04e67efa
-
SHA1
78207b8218f357a31cc489b1bcc43273211ee09b
-
SHA256
4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4
-
SHA512
e0804d23fcab2576e422cd06e4cf6aed634ddcce8e0e74de7826d1078af402bb7c2e536dc2a659bcae0279846cb556016ba7bccb4dc2355a34f0b0c2138d1adc
-
SSDEEP
3072:IArJjMrZDYiin0kCKBXcbbAZ13quJCbT:IeJjMrxYfM0MXAJEbT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cbcc.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cbcc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cbcc.exe -
Executes dropped EXE 3 IoCs
pid Process 616 e57a5d5.exe 2972 e57a71d.exe 4716 e57cbcc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cbcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a5d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cbcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cbcc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cbcc.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57a5d5.exe File opened (read-only) \??\M: e57a5d5.exe File opened (read-only) \??\N: e57a5d5.exe File opened (read-only) \??\E: e57cbcc.exe File opened (read-only) \??\J: e57cbcc.exe File opened (read-only) \??\E: e57a5d5.exe File opened (read-only) \??\H: e57a5d5.exe File opened (read-only) \??\L: e57a5d5.exe File opened (read-only) \??\G: e57cbcc.exe File opened (read-only) \??\I: e57a5d5.exe File opened (read-only) \??\J: e57a5d5.exe File opened (read-only) \??\K: e57a5d5.exe File opened (read-only) \??\H: e57cbcc.exe File opened (read-only) \??\I: e57cbcc.exe -
resource yara_rule behavioral2/memory/616-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-26-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-29-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-20-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-34-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-55-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-59-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-62-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-67-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-69-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-70-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-73-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/616-76-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4716-109-0x0000000000B70000-0x0000000001C2A000-memory.dmp upx behavioral2/memory/4716-148-0x0000000000B70000-0x0000000001C2A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57f82b e57cbcc.exe File created C:\Windows\e57a613 e57a5d5.exe File opened for modification C:\Windows\SYSTEM.INI e57a5d5.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a71d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cbcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a5d5.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 616 e57a5d5.exe 616 e57a5d5.exe 616 e57a5d5.exe 616 e57a5d5.exe 4716 e57cbcc.exe 4716 e57cbcc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe Token: SeDebugPrivilege 616 e57a5d5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1300 wrote to memory of 4880 1300 rundll32.exe 82 PID 1300 wrote to memory of 4880 1300 rundll32.exe 82 PID 1300 wrote to memory of 4880 1300 rundll32.exe 82 PID 4880 wrote to memory of 616 4880 rundll32.exe 83 PID 4880 wrote to memory of 616 4880 rundll32.exe 83 PID 4880 wrote to memory of 616 4880 rundll32.exe 83 PID 616 wrote to memory of 788 616 e57a5d5.exe 8 PID 616 wrote to memory of 796 616 e57a5d5.exe 9 PID 616 wrote to memory of 60 616 e57a5d5.exe 13 PID 616 wrote to memory of 2476 616 e57a5d5.exe 43 PID 616 wrote to memory of 2492 616 e57a5d5.exe 44 PID 616 wrote to memory of 2916 616 e57a5d5.exe 52 PID 616 wrote to memory of 3492 616 e57a5d5.exe 56 PID 616 wrote to memory of 3628 616 e57a5d5.exe 57 PID 616 wrote to memory of 3812 616 e57a5d5.exe 58 PID 616 wrote to memory of 3900 616 e57a5d5.exe 59 PID 616 wrote to memory of 3968 616 e57a5d5.exe 60 PID 616 wrote to memory of 4052 616 e57a5d5.exe 61 PID 616 wrote to memory of 2720 616 e57a5d5.exe 62 PID 616 wrote to memory of 2108 616 e57a5d5.exe 74 PID 616 wrote to memory of 4136 616 e57a5d5.exe 75 PID 616 wrote to memory of 1752 616 e57a5d5.exe 80 PID 616 wrote to memory of 1300 616 e57a5d5.exe 81 PID 616 wrote to memory of 4880 616 e57a5d5.exe 82 PID 616 wrote to memory of 4880 616 e57a5d5.exe 82 PID 4880 wrote to memory of 2972 4880 rundll32.exe 84 PID 4880 wrote to memory of 2972 4880 rundll32.exe 84 PID 4880 wrote to memory of 2972 4880 rundll32.exe 84 PID 4880 wrote to memory of 4716 4880 rundll32.exe 87 PID 4880 wrote to memory of 4716 4880 rundll32.exe 87 PID 4880 wrote to memory of 4716 4880 rundll32.exe 87 PID 616 wrote to memory of 788 616 e57a5d5.exe 8 PID 616 wrote to memory of 796 616 e57a5d5.exe 9 PID 616 wrote to memory of 60 616 e57a5d5.exe 13 PID 616 wrote to memory of 2476 616 e57a5d5.exe 43 PID 616 wrote to memory of 2492 616 e57a5d5.exe 44 PID 616 wrote to memory of 2916 616 e57a5d5.exe 52 PID 616 wrote to memory of 3492 616 e57a5d5.exe 56 PID 616 wrote to memory of 3628 616 e57a5d5.exe 57 PID 616 wrote to memory of 3812 616 e57a5d5.exe 58 PID 616 wrote to memory of 3900 616 e57a5d5.exe 59 PID 616 wrote to memory of 3968 616 e57a5d5.exe 60 PID 616 wrote to memory of 4052 616 e57a5d5.exe 61 PID 616 wrote to memory of 2720 616 e57a5d5.exe 62 PID 616 wrote to memory of 2108 616 e57a5d5.exe 74 PID 616 wrote to memory of 4136 616 e57a5d5.exe 75 PID 616 wrote to memory of 1752 616 e57a5d5.exe 80 PID 616 wrote to memory of 2972 616 e57a5d5.exe 84 PID 616 wrote to memory of 2972 616 e57a5d5.exe 84 PID 616 wrote to memory of 4716 616 e57a5d5.exe 87 PID 616 wrote to memory of 4716 616 e57a5d5.exe 87 PID 4716 wrote to memory of 788 4716 e57cbcc.exe 8 PID 4716 wrote to memory of 796 4716 e57cbcc.exe 9 PID 4716 wrote to memory of 60 4716 e57cbcc.exe 13 PID 4716 wrote to memory of 2476 4716 e57cbcc.exe 43 PID 4716 wrote to memory of 2492 4716 e57cbcc.exe 44 PID 4716 wrote to memory of 2916 4716 e57cbcc.exe 52 PID 4716 wrote to memory of 3492 4716 e57cbcc.exe 56 PID 4716 wrote to memory of 3628 4716 e57cbcc.exe 57 PID 4716 wrote to memory of 3812 4716 e57cbcc.exe 58 PID 4716 wrote to memory of 3900 4716 e57cbcc.exe 59 PID 4716 wrote to memory of 3968 4716 e57cbcc.exe 60 PID 4716 wrote to memory of 4052 4716 e57cbcc.exe 61 PID 4716 wrote to memory of 2720 4716 e57cbcc.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a5d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cbcc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2492
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2916
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\e57a5d5.exeC:\Users\Admin\AppData\Local\Temp\e57a5d5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:616
-
-
C:\Users\Admin\AppData\Local\Temp\e57a71d.exeC:\Users\Admin\AppData\Local\Temp\e57a71d.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\e57cbcc.exeC:\Users\Admin\AppData\Local\Temp\e57cbcc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4716
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3628
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3812
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3968
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2720
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2108
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4136
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1752
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4456
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4604
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f9dc17f6dc60b9a74244a6b0dc8ebfaf
SHA1b788caa75bfd264448b450ac5c627e28d311afae
SHA256ac57e444c06e5b6c52c238879aa530f5ca07dab8edb52680cc5b28acf36411cc
SHA5122e41d6e385e7048b2dee0a335551695032b47ed94a0a7d069e8fdacad763a0aa3f805ebfcd5bc563195b4cd5e2304d5fdcb316efed507fed9f37c0becbcc3f18
-
Filesize
257B
MD5ae2002c5725cb2064a9719e922b6f0b9
SHA11cc80c9b247622137c535bcc4d4b0a34ec70c280
SHA2562003741f6f5cf84535ee5915f8a538a483f094941908faff42f4508773a6f1a6
SHA51237b47c2f140df233259021933050da1b809907789534c01a2b827904d249d10ed216b46857603c3550142682eefb30520b4a2cd712d1b64ed3c15e37944c5957