Analysis
-
max time kernel
32s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 13:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140bN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140bN.dll
-
Size
120KB
-
MD5
7a64d212765cd73abbaf9d029794a5b0
-
SHA1
d3c4467355398ec5c40a863eb000bfaf60f9b581
-
SHA256
5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140b
-
SHA512
80d62c48dcba94777e7ae8320a86ac64d1838dfec840b8708741032111f73c4404f8ca4de7a8100673c48e5863f7f4412f15d7d94b2526a77934f7da06c6faad
-
SSDEEP
1536:yNpXNV370nW/deVWifQ5udLFh7uZncixc2ttrftgBn5gZHwYAWr9y1lgBGu9pHCx:yHNd70WMVWZYFBexBt9Osro1lKXVs
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579cec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579cec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cdcf.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579cec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579cec.exe -
Executes dropped EXE 4 IoCs
pid Process 4548 e579cec.exe 4364 e579e05.exe 4176 e57cdcf.exe 3640 e57ce0e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cdcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579cec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cdcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cdcf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cdcf.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e579cec.exe File opened (read-only) \??\G: e579cec.exe File opened (read-only) \??\I: e579cec.exe File opened (read-only) \??\J: e579cec.exe File opened (read-only) \??\K: e579cec.exe File opened (read-only) \??\L: e579cec.exe File opened (read-only) \??\M: e579cec.exe File opened (read-only) \??\G: e57cdcf.exe File opened (read-only) \??\H: e57cdcf.exe File opened (read-only) \??\I: e57cdcf.exe File opened (read-only) \??\H: e579cec.exe File opened (read-only) \??\N: e579cec.exe File opened (read-only) \??\E: e57cdcf.exe -
resource yara_rule behavioral2/memory/4548-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-24-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-30-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-34-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-25-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-46-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-62-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-63-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-65-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-67-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-70-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-71-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4548-78-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4176-159-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579d59 e579cec.exe File opened for modification C:\Windows\SYSTEM.INI e579cec.exe File created C:\Windows\e57f54d e57cdcf.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ce0e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579cec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579e05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cdcf.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4548 e579cec.exe 4548 e579cec.exe 4548 e579cec.exe 4548 e579cec.exe 4176 e57cdcf.exe 4176 e57cdcf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe Token: SeDebugPrivilege 4548 e579cec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 5068 3636 rundll32.exe 82 PID 3636 wrote to memory of 5068 3636 rundll32.exe 82 PID 3636 wrote to memory of 5068 3636 rundll32.exe 82 PID 5068 wrote to memory of 4548 5068 rundll32.exe 83 PID 5068 wrote to memory of 4548 5068 rundll32.exe 83 PID 5068 wrote to memory of 4548 5068 rundll32.exe 83 PID 4548 wrote to memory of 752 4548 e579cec.exe 8 PID 4548 wrote to memory of 756 4548 e579cec.exe 9 PID 4548 wrote to memory of 984 4548 e579cec.exe 13 PID 4548 wrote to memory of 2860 4548 e579cec.exe 49 PID 4548 wrote to memory of 2892 4548 e579cec.exe 50 PID 4548 wrote to memory of 2972 4548 e579cec.exe 51 PID 4548 wrote to memory of 3368 4548 e579cec.exe 56 PID 4548 wrote to memory of 3532 4548 e579cec.exe 57 PID 4548 wrote to memory of 3724 4548 e579cec.exe 58 PID 4548 wrote to memory of 3896 4548 e579cec.exe 59 PID 4548 wrote to memory of 3972 4548 e579cec.exe 60 PID 4548 wrote to memory of 4064 4548 e579cec.exe 61 PID 4548 wrote to memory of 3820 4548 e579cec.exe 62 PID 4548 wrote to memory of 1448 4548 e579cec.exe 75 PID 4548 wrote to memory of 2724 4548 e579cec.exe 76 PID 4548 wrote to memory of 3636 4548 e579cec.exe 81 PID 4548 wrote to memory of 5068 4548 e579cec.exe 82 PID 4548 wrote to memory of 5068 4548 e579cec.exe 82 PID 5068 wrote to memory of 4364 5068 rundll32.exe 84 PID 5068 wrote to memory of 4364 5068 rundll32.exe 84 PID 5068 wrote to memory of 4364 5068 rundll32.exe 84 PID 4548 wrote to memory of 752 4548 e579cec.exe 8 PID 4548 wrote to memory of 756 4548 e579cec.exe 9 PID 4548 wrote to memory of 984 4548 e579cec.exe 13 PID 4548 wrote to memory of 2860 4548 e579cec.exe 49 PID 4548 wrote to memory of 2892 4548 e579cec.exe 50 PID 4548 wrote to memory of 2972 4548 e579cec.exe 51 PID 4548 wrote to memory of 3368 4548 e579cec.exe 56 PID 4548 wrote to memory of 3532 4548 e579cec.exe 57 PID 4548 wrote to memory of 3724 4548 e579cec.exe 58 PID 4548 wrote to memory of 3896 4548 e579cec.exe 59 PID 4548 wrote to memory of 3972 4548 e579cec.exe 60 PID 4548 wrote to memory of 4064 4548 e579cec.exe 61 PID 4548 wrote to memory of 3820 4548 e579cec.exe 62 PID 4548 wrote to memory of 1448 4548 e579cec.exe 75 PID 4548 wrote to memory of 2724 4548 e579cec.exe 76 PID 4548 wrote to memory of 3636 4548 e579cec.exe 81 PID 4548 wrote to memory of 4364 4548 e579cec.exe 84 PID 4548 wrote to memory of 4364 4548 e579cec.exe 84 PID 5068 wrote to memory of 4176 5068 rundll32.exe 85 PID 5068 wrote to memory of 4176 5068 rundll32.exe 85 PID 5068 wrote to memory of 4176 5068 rundll32.exe 85 PID 5068 wrote to memory of 3640 5068 rundll32.exe 86 PID 5068 wrote to memory of 3640 5068 rundll32.exe 86 PID 5068 wrote to memory of 3640 5068 rundll32.exe 86 PID 4176 wrote to memory of 752 4176 e57cdcf.exe 8 PID 4176 wrote to memory of 756 4176 e57cdcf.exe 9 PID 4176 wrote to memory of 984 4176 e57cdcf.exe 13 PID 4176 wrote to memory of 2860 4176 e57cdcf.exe 49 PID 4176 wrote to memory of 2892 4176 e57cdcf.exe 50 PID 4176 wrote to memory of 2972 4176 e57cdcf.exe 51 PID 4176 wrote to memory of 3368 4176 e57cdcf.exe 56 PID 4176 wrote to memory of 3532 4176 e57cdcf.exe 57 PID 4176 wrote to memory of 3724 4176 e57cdcf.exe 58 PID 4176 wrote to memory of 3896 4176 e57cdcf.exe 59 PID 4176 wrote to memory of 3972 4176 e57cdcf.exe 60 PID 4176 wrote to memory of 4064 4176 e57cdcf.exe 61 PID 4176 wrote to memory of 3820 4176 e57cdcf.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579cec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cdcf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:752
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:756
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:984
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2892
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2972
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3368
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140bN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140bN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\e579cec.exeC:\Users\Admin\AppData\Local\Temp\e579cec.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\e579e05.exeC:\Users\Admin\AppData\Local\Temp\e579e05.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\e57cdcf.exeC:\Users\Admin\AppData\Local\Temp\e57cdcf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\e57ce0e.exeC:\Users\Admin\AppData\Local\Temp\e57ce0e.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3640
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3820
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1448
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2724
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5340330a060f3baa0fbe0071059344c1e
SHA19935a8d041e27402d27a7df76955c97a544fe8cf
SHA256d7ed5e52606b00eaf1fed390f4597eb6a26aca307e9343bfe0d7ce82f5023d28
SHA5127029e3bf859bd8d55b8ee6a9e30b42d528387def53d3a74b84bb016cb6cab629d9cb37b2d9a91020979f1ba427caac800971178571dfea16f0d5412ef7241f82
-
Filesize
257B
MD50ffef9a2a5ee16d893aa7ea321e6c98e
SHA185bbe642fc82afa135de6e4d7e4e1c984d332cd5
SHA256e45aacaf675133c85343ec2c8ddc1f75cc08372caa4844bc9d6bd0b59c8e3278
SHA5121be932a5b0acac0c136658e2a3a331d4b3ed10f55dafb89c832e9b88accfc6dd7eafdb026da2c9882084dcbd0a6102094515fb2afdfe472c094985218825b603