Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 03:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll
-
Size
120KB
-
MD5
b01eb07fd3ef3b5152b7d6e28f722b50
-
SHA1
5f3a6d9f95f60de033da491d496fe2d51d9bd483
-
SHA256
8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3
-
SHA512
14105809fd2bd555297d16c2a036521cd3402023d692da3a2fdc4ea1bca33f73816b22baecc9cc44dc6c4d0e8672c6fb2aac7152ee19a3d76739e1da09d617b4
-
SSDEEP
3072:4S9rqLo4Jt/ktSZH9PSaQQh28EQif4W3FyLrUGkB9:4S5L4JBktSbSab27Q47FUQ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578a00.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578a00.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578a00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576eb8.exe -
Executes dropped EXE 4 IoCs
pid Process 368 e576eb8.exe 4868 e576fc1.exe 1056 e578a00.exe 3028 e578a1f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576eb8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578a00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578a00.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578a00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578a00.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e576eb8.exe File opened (read-only) \??\L: e576eb8.exe File opened (read-only) \??\P: e576eb8.exe File opened (read-only) \??\Q: e576eb8.exe File opened (read-only) \??\S: e576eb8.exe File opened (read-only) \??\E: e576eb8.exe File opened (read-only) \??\H: e576eb8.exe File opened (read-only) \??\J: e576eb8.exe File opened (read-only) \??\M: e576eb8.exe File opened (read-only) \??\N: e576eb8.exe File opened (read-only) \??\O: e576eb8.exe File opened (read-only) \??\G: e576eb8.exe File opened (read-only) \??\K: e576eb8.exe File opened (read-only) \??\R: e576eb8.exe -
resource yara_rule behavioral2/memory/368-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-31-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-29-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-19-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-44-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-56-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-59-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-74-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-79-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-80-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-82-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-83-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-86-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-94-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-96-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/368-97-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1056-139-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1056-146-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e576eb8.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e576eb8.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e576eb8.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e576eb8.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e576f35 e576eb8.exe File opened for modification C:\Windows\SYSTEM.INI e576eb8.exe File created C:\Windows\e57d88d e578a00.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e576eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e576fc1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578a00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578a1f.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 368 e576eb8.exe 368 e576eb8.exe 368 e576eb8.exe 368 e576eb8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe Token: SeDebugPrivilege 368 e576eb8.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4164 wrote to memory of 4824 4164 rundll32.exe 82 PID 4164 wrote to memory of 4824 4164 rundll32.exe 82 PID 4164 wrote to memory of 4824 4164 rundll32.exe 82 PID 4824 wrote to memory of 368 4824 rundll32.exe 83 PID 4824 wrote to memory of 368 4824 rundll32.exe 83 PID 4824 wrote to memory of 368 4824 rundll32.exe 83 PID 368 wrote to memory of 772 368 e576eb8.exe 8 PID 368 wrote to memory of 776 368 e576eb8.exe 9 PID 368 wrote to memory of 380 368 e576eb8.exe 13 PID 368 wrote to memory of 2428 368 e576eb8.exe 42 PID 368 wrote to memory of 2452 368 e576eb8.exe 43 PID 368 wrote to memory of 2548 368 e576eb8.exe 44 PID 368 wrote to memory of 3436 368 e576eb8.exe 56 PID 368 wrote to memory of 3632 368 e576eb8.exe 57 PID 368 wrote to memory of 3840 368 e576eb8.exe 58 PID 368 wrote to memory of 3936 368 e576eb8.exe 59 PID 368 wrote to memory of 4032 368 e576eb8.exe 60 PID 368 wrote to memory of 1100 368 e576eb8.exe 61 PID 368 wrote to memory of 3952 368 e576eb8.exe 62 PID 368 wrote to memory of 1412 368 e576eb8.exe 75 PID 368 wrote to memory of 2260 368 e576eb8.exe 76 PID 368 wrote to memory of 4164 368 e576eb8.exe 81 PID 368 wrote to memory of 4824 368 e576eb8.exe 82 PID 368 wrote to memory of 4824 368 e576eb8.exe 82 PID 4824 wrote to memory of 4868 4824 rundll32.exe 84 PID 4824 wrote to memory of 4868 4824 rundll32.exe 84 PID 4824 wrote to memory of 4868 4824 rundll32.exe 84 PID 4824 wrote to memory of 1056 4824 rundll32.exe 85 PID 4824 wrote to memory of 1056 4824 rundll32.exe 85 PID 4824 wrote to memory of 1056 4824 rundll32.exe 85 PID 4824 wrote to memory of 3028 4824 rundll32.exe 86 PID 4824 wrote to memory of 3028 4824 rundll32.exe 86 PID 4824 wrote to memory of 3028 4824 rundll32.exe 86 PID 368 wrote to memory of 772 368 e576eb8.exe 8 PID 368 wrote to memory of 776 368 e576eb8.exe 9 PID 368 wrote to memory of 380 368 e576eb8.exe 13 PID 368 wrote to memory of 2428 368 e576eb8.exe 42 PID 368 wrote to memory of 2452 368 e576eb8.exe 43 PID 368 wrote to memory of 2548 368 e576eb8.exe 44 PID 368 wrote to memory of 3436 368 e576eb8.exe 56 PID 368 wrote to memory of 3632 368 e576eb8.exe 57 PID 368 wrote to memory of 3840 368 e576eb8.exe 58 PID 368 wrote to memory of 3936 368 e576eb8.exe 59 PID 368 wrote to memory of 4032 368 e576eb8.exe 60 PID 368 wrote to memory of 1100 368 e576eb8.exe 61 PID 368 wrote to memory of 3952 368 e576eb8.exe 62 PID 368 wrote to memory of 1412 368 e576eb8.exe 75 PID 368 wrote to memory of 2260 368 e576eb8.exe 76 PID 368 wrote to memory of 4868 368 e576eb8.exe 84 PID 368 wrote to memory of 4868 368 e576eb8.exe 84 PID 368 wrote to memory of 1056 368 e576eb8.exe 85 PID 368 wrote to memory of 1056 368 e576eb8.exe 85 PID 368 wrote to memory of 3028 368 e576eb8.exe 86 PID 368 wrote to memory of 3028 368 e576eb8.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576eb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578a00.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2452
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2548
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\e576eb8.exeC:\Users\Admin\AppData\Local\Temp\e576eb8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:368
-
-
C:\Users\Admin\AppData\Local\Temp\e576fc1.exeC:\Users\Admin\AppData\Local\Temp\e576fc1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\e578a00.exeC:\Users\Admin\AppData\Local\Temp\e578a00.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\e578a1f.exeC:\Users\Admin\AppData\Local\Temp\e578a1f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4032
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1100
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1412
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2260
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD574253e545a44d6acb4d2b6ea7f46865c
SHA1e3c6f68044ab550972e4fc6b43841716b6e121bf
SHA256bd363615eecb1207b489d79a578d9d5d359dff4fe89efddbe4826c399f2893f9
SHA51296fe7ef34c938ce1f214b9d49397d2d6ff9d6ed2b96be571ae48fbd24768d411c32109bc40a5370d684829bfd4b132c1bb3584f40cdeb837cc4d0a7fff80bd49
-
Filesize
257B
MD523b9abd3cdc23fd824fd27be782e2257
SHA18f549530636f34351a4bc8daf1c9932605b474a3
SHA256b5c269d77f8b8ae5f3e33f4c9a432a1fe27b21cf3c42d04508fb2eac770ba621
SHA512f17c4af2a80b5ea6cbc731641285fd00d28fc401c9d95cad2908865c0f89d81829cceded1ae0f9ad3e1720e0d2eaae5e3bb17c655ea65995d1c494b6fa3bb4d0