Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 00:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
875db80a0a413e8f78f7120c878460494b1f4199f8d5aa20e646098818fa21a4.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
875db80a0a413e8f78f7120c878460494b1f4199f8d5aa20e646098818fa21a4.dll
-
Size
120KB
-
MD5
df8e4237a548ebe1eaa080e1f13eaa32
-
SHA1
d0746ec564e3ddd5a2aa18ab9117235cac640a74
-
SHA256
875db80a0a413e8f78f7120c878460494b1f4199f8d5aa20e646098818fa21a4
-
SHA512
e1d91cfb057c44a231a6a0d26c38ca298bf49bbfd2a0d838e9ff4e18f796faa3ab4d83428db6f2660b7ff76bc437633d693359d80539a118d039ea360d4d5615
-
SSDEEP
3072:ryAedAKhJ7/CxMq5DPuzCXrBnoH78o08Ug:redAwxY5DPe43oJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c217.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c217.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f5e9.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f5e9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c217.exe -
Executes dropped EXE 3 IoCs
pid Process 2252 e57c217.exe 2540 e57c3cd.exe 3844 e57f5e9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c217.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f5e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c217.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f5e9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f5e9.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57c217.exe File opened (read-only) \??\M: e57c217.exe File opened (read-only) \??\J: e57f5e9.exe File opened (read-only) \??\J: e57c217.exe File opened (read-only) \??\K: e57c217.exe File opened (read-only) \??\L: e57c217.exe File opened (read-only) \??\E: e57f5e9.exe File opened (read-only) \??\G: e57f5e9.exe File opened (read-only) \??\E: e57c217.exe File opened (read-only) \??\H: e57c217.exe File opened (read-only) \??\I: e57c217.exe File opened (read-only) \??\H: e57f5e9.exe File opened (read-only) \??\I: e57f5e9.exe -
resource yara_rule behavioral2/memory/2252-6-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-15-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-9-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-28-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-20-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-13-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-11-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-12-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-10-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-8-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-34-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-35-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-36-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-37-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-39-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-38-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-45-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-46-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-47-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-58-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-60-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-61-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-62-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-64-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-69-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/2252-77-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3844-103-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3844-110-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3844-131-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3844-156-0x0000000000860000-0x000000000191A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c2c3 e57c217.exe File opened for modification C:\Windows\SYSTEM.INI e57c217.exe File created C:\Windows\e581d37 e57f5e9.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c217.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c3cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f5e9.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2252 e57c217.exe 2252 e57c217.exe 2252 e57c217.exe 2252 e57c217.exe 3844 e57f5e9.exe 3844 e57f5e9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe Token: SeDebugPrivilege 2252 e57c217.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4964 wrote to memory of 3572 4964 rundll32.exe 82 PID 4964 wrote to memory of 3572 4964 rundll32.exe 82 PID 4964 wrote to memory of 3572 4964 rundll32.exe 82 PID 3572 wrote to memory of 2252 3572 rundll32.exe 83 PID 3572 wrote to memory of 2252 3572 rundll32.exe 83 PID 3572 wrote to memory of 2252 3572 rundll32.exe 83 PID 2252 wrote to memory of 780 2252 e57c217.exe 9 PID 2252 wrote to memory of 788 2252 e57c217.exe 10 PID 2252 wrote to memory of 388 2252 e57c217.exe 13 PID 2252 wrote to memory of 2488 2252 e57c217.exe 42 PID 2252 wrote to memory of 2524 2252 e57c217.exe 43 PID 2252 wrote to memory of 2672 2252 e57c217.exe 46 PID 2252 wrote to memory of 3388 2252 e57c217.exe 56 PID 2252 wrote to memory of 3552 2252 e57c217.exe 57 PID 2252 wrote to memory of 3756 2252 e57c217.exe 58 PID 2252 wrote to memory of 3924 2252 e57c217.exe 59 PID 2252 wrote to memory of 3992 2252 e57c217.exe 60 PID 2252 wrote to memory of 4072 2252 e57c217.exe 61 PID 2252 wrote to memory of 4116 2252 e57c217.exe 62 PID 2252 wrote to memory of 2220 2252 e57c217.exe 64 PID 2252 wrote to memory of 3376 2252 e57c217.exe 75 PID 2252 wrote to memory of 4964 2252 e57c217.exe 81 PID 2252 wrote to memory of 3572 2252 e57c217.exe 82 PID 2252 wrote to memory of 3572 2252 e57c217.exe 82 PID 3572 wrote to memory of 2540 3572 rundll32.exe 84 PID 3572 wrote to memory of 2540 3572 rundll32.exe 84 PID 3572 wrote to memory of 2540 3572 rundll32.exe 84 PID 2252 wrote to memory of 780 2252 e57c217.exe 9 PID 2252 wrote to memory of 788 2252 e57c217.exe 10 PID 2252 wrote to memory of 388 2252 e57c217.exe 13 PID 2252 wrote to memory of 2488 2252 e57c217.exe 42 PID 2252 wrote to memory of 2524 2252 e57c217.exe 43 PID 2252 wrote to memory of 2672 2252 e57c217.exe 46 PID 2252 wrote to memory of 3388 2252 e57c217.exe 56 PID 2252 wrote to memory of 3552 2252 e57c217.exe 57 PID 2252 wrote to memory of 3756 2252 e57c217.exe 58 PID 2252 wrote to memory of 3924 2252 e57c217.exe 59 PID 2252 wrote to memory of 3992 2252 e57c217.exe 60 PID 2252 wrote to memory of 4072 2252 e57c217.exe 61 PID 2252 wrote to memory of 4116 2252 e57c217.exe 62 PID 2252 wrote to memory of 2220 2252 e57c217.exe 64 PID 2252 wrote to memory of 3376 2252 e57c217.exe 75 PID 2252 wrote to memory of 4964 2252 e57c217.exe 81 PID 2252 wrote to memory of 2540 2252 e57c217.exe 84 PID 2252 wrote to memory of 2540 2252 e57c217.exe 84 PID 3572 wrote to memory of 3844 3572 rundll32.exe 85 PID 3572 wrote to memory of 3844 3572 rundll32.exe 85 PID 3572 wrote to memory of 3844 3572 rundll32.exe 85 PID 3844 wrote to memory of 780 3844 e57f5e9.exe 9 PID 3844 wrote to memory of 788 3844 e57f5e9.exe 10 PID 3844 wrote to memory of 388 3844 e57f5e9.exe 13 PID 3844 wrote to memory of 2488 3844 e57f5e9.exe 42 PID 3844 wrote to memory of 2524 3844 e57f5e9.exe 43 PID 3844 wrote to memory of 2672 3844 e57f5e9.exe 46 PID 3844 wrote to memory of 3388 3844 e57f5e9.exe 56 PID 3844 wrote to memory of 3552 3844 e57f5e9.exe 57 PID 3844 wrote to memory of 3756 3844 e57f5e9.exe 58 PID 3844 wrote to memory of 3924 3844 e57f5e9.exe 59 PID 3844 wrote to memory of 3992 3844 e57f5e9.exe 60 PID 3844 wrote to memory of 4072 3844 e57f5e9.exe 61 PID 3844 wrote to memory of 4116 3844 e57f5e9.exe 62 PID 3844 wrote to memory of 2220 3844 e57f5e9.exe 64 PID 3844 wrote to memory of 3376 3844 e57f5e9.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f5e9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2524
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3388
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\875db80a0a413e8f78f7120c878460494b1f4199f8d5aa20e646098818fa21a4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\875db80a0a413e8f78f7120c878460494b1f4199f8d5aa20e646098818fa21a4.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\e57c217.exeC:\Users\Admin\AppData\Local\Temp\e57c217.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\e57c3cd.exeC:\Users\Admin\AppData\Local\Temp\e57c3cd.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\e57f5e9.exeC:\Users\Admin\AppData\Local\Temp\e57f5e9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3844
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2220
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3376
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5879c4e50ec35b2c6f587e50262046d38
SHA149dff8414e14692b322bb2d6c0f8f9b9ed74a428
SHA256610404c9f454cfc507e86a82f14d3b20fffe1ffaa2039a80d90be3228c94d9d3
SHA512973483e9082b95ee0e8111d93236e3ea25379a59743bd6283b68d6bc0520879ce01efd9e304d322256128f3a794515ebe24b2f5ad8834d6d0ade3ca2e0c801fe
-
Filesize
257B
MD5408fe7c9dc55eeff907bb738660178ac
SHA1727148547c360f7e316ce4ad7e30824d9f4b14a2
SHA2565f5ecf319d1d62d1310328bb2f1f8e5f0ddf9e83c60ec4bacd5c7b695730f184
SHA512ebfb378bd5185d3d6d1beb54df9ea5df9379c2b508f5b28bdd8d06f85ed29525f0f23076e43105ec1033b0c32e3f21f3cfdffbae60bc84f712f0fa1ba75583f5