Analysis
-
max time kernel
31s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll
Resource
win7-20241010-en
General
-
Target
f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll
-
Size
120KB
-
MD5
22d86575345e994d970f0c5bf6c73360
-
SHA1
f48468e772e1db2285fb2d4e618111795852102e
-
SHA256
f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcac
-
SHA512
bc6266fe685edad539e1174da7a37722c70234172cc62dd70119805f441a47d5d03265aff0b3e74092f5adba3e1dc3edf9b2c99a5f4c00050fa0bb1f694e6b2f
-
SSDEEP
1536:SFnXP98ynlLUCc4iNMjwlQxTSdHrYftixOgQst79TNYCrf8MeZ4P10+f:8qlf4WMwliTSdLYfcgzO9Jvf8ei+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b640.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b640.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e4d2.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e4d2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b640.exe -
Executes dropped EXE 4 IoCs
pid Process 4436 e57b640.exe 3312 e57b7b7.exe 3228 e57e4d2.exe 1696 e57e4f1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b640.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e4d2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e4d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e4d2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e4d2.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57b640.exe File opened (read-only) \??\I: e57b640.exe File opened (read-only) \??\J: e57b640.exe File opened (read-only) \??\K: e57b640.exe File opened (read-only) \??\M: e57b640.exe File opened (read-only) \??\E: e57e4d2.exe File opened (read-only) \??\I: e57e4d2.exe File opened (read-only) \??\E: e57b640.exe File opened (read-only) \??\H: e57b640.exe File opened (read-only) \??\L: e57b640.exe File opened (read-only) \??\G: e57e4d2.exe File opened (read-only) \??\H: e57e4d2.exe -
resource yara_rule behavioral2/memory/4436-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-32-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-17-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-22-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-11-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-26-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-33-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-34-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-39-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-50-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-58-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-60-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-62-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-63-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-65-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-66-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-69-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4436-71-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3228-103-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3228-106-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3228-155-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b69e e57b640.exe File opened for modification C:\Windows\SYSTEM.INI e57b640.exe File created C:\Windows\e580c4f e57e4d2.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b7b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e4d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e4f1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4436 e57b640.exe 4436 e57b640.exe 4436 e57b640.exe 4436 e57b640.exe 3228 e57e4d2.exe 3228 e57e4d2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe Token: SeDebugPrivilege 4436 e57b640.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4548 wrote to memory of 4768 4548 rundll32.exe 82 PID 4548 wrote to memory of 4768 4548 rundll32.exe 82 PID 4548 wrote to memory of 4768 4548 rundll32.exe 82 PID 4768 wrote to memory of 4436 4768 rundll32.exe 83 PID 4768 wrote to memory of 4436 4768 rundll32.exe 83 PID 4768 wrote to memory of 4436 4768 rundll32.exe 83 PID 4436 wrote to memory of 784 4436 e57b640.exe 9 PID 4436 wrote to memory of 792 4436 e57b640.exe 10 PID 4436 wrote to memory of 316 4436 e57b640.exe 13 PID 4436 wrote to memory of 2672 4436 e57b640.exe 44 PID 4436 wrote to memory of 2680 4436 e57b640.exe 45 PID 4436 wrote to memory of 3020 4436 e57b640.exe 51 PID 4436 wrote to memory of 3456 4436 e57b640.exe 56 PID 4436 wrote to memory of 3596 4436 e57b640.exe 57 PID 4436 wrote to memory of 3776 4436 e57b640.exe 58 PID 4436 wrote to memory of 3864 4436 e57b640.exe 59 PID 4436 wrote to memory of 3924 4436 e57b640.exe 60 PID 4436 wrote to memory of 4008 4436 e57b640.exe 61 PID 4436 wrote to memory of 4148 4436 e57b640.exe 62 PID 4436 wrote to memory of 3748 4436 e57b640.exe 74 PID 4436 wrote to memory of 3324 4436 e57b640.exe 76 PID 4436 wrote to memory of 4548 4436 e57b640.exe 81 PID 4436 wrote to memory of 4768 4436 e57b640.exe 82 PID 4436 wrote to memory of 4768 4436 e57b640.exe 82 PID 4768 wrote to memory of 3312 4768 rundll32.exe 84 PID 4768 wrote to memory of 3312 4768 rundll32.exe 84 PID 4768 wrote to memory of 3312 4768 rundll32.exe 84 PID 4436 wrote to memory of 784 4436 e57b640.exe 9 PID 4436 wrote to memory of 792 4436 e57b640.exe 10 PID 4436 wrote to memory of 316 4436 e57b640.exe 13 PID 4436 wrote to memory of 2672 4436 e57b640.exe 44 PID 4436 wrote to memory of 2680 4436 e57b640.exe 45 PID 4436 wrote to memory of 3020 4436 e57b640.exe 51 PID 4436 wrote to memory of 3456 4436 e57b640.exe 56 PID 4436 wrote to memory of 3596 4436 e57b640.exe 57 PID 4436 wrote to memory of 3776 4436 e57b640.exe 58 PID 4436 wrote to memory of 3864 4436 e57b640.exe 59 PID 4436 wrote to memory of 3924 4436 e57b640.exe 60 PID 4436 wrote to memory of 4008 4436 e57b640.exe 61 PID 4436 wrote to memory of 4148 4436 e57b640.exe 62 PID 4436 wrote to memory of 3748 4436 e57b640.exe 74 PID 4436 wrote to memory of 3324 4436 e57b640.exe 76 PID 4436 wrote to memory of 4548 4436 e57b640.exe 81 PID 4436 wrote to memory of 3312 4436 e57b640.exe 84 PID 4436 wrote to memory of 3312 4436 e57b640.exe 84 PID 4768 wrote to memory of 3228 4768 rundll32.exe 85 PID 4768 wrote to memory of 3228 4768 rundll32.exe 85 PID 4768 wrote to memory of 3228 4768 rundll32.exe 85 PID 4768 wrote to memory of 1696 4768 rundll32.exe 86 PID 4768 wrote to memory of 1696 4768 rundll32.exe 86 PID 4768 wrote to memory of 1696 4768 rundll32.exe 86 PID 3228 wrote to memory of 784 3228 e57e4d2.exe 9 PID 3228 wrote to memory of 792 3228 e57e4d2.exe 10 PID 3228 wrote to memory of 316 3228 e57e4d2.exe 13 PID 3228 wrote to memory of 2672 3228 e57e4d2.exe 44 PID 3228 wrote to memory of 2680 3228 e57e4d2.exe 45 PID 3228 wrote to memory of 3020 3228 e57e4d2.exe 51 PID 3228 wrote to memory of 3456 3228 e57e4d2.exe 56 PID 3228 wrote to memory of 3596 3228 e57e4d2.exe 57 PID 3228 wrote to memory of 3776 3228 e57e4d2.exe 58 PID 3228 wrote to memory of 3864 3228 e57e4d2.exe 59 PID 3228 wrote to memory of 3924 3228 e57e4d2.exe 60 PID 3228 wrote to memory of 4008 3228 e57e4d2.exe 61 PID 3228 wrote to memory of 4148 3228 e57e4d2.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e4d2.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3020
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\e57b640.exeC:\Users\Admin\AppData\Local\Temp\e57b640.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\e57b7b7.exeC:\Users\Admin\AppData\Local\Temp\e57b7b7.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3312
-
-
C:\Users\Admin\AppData\Local\Temp\e57e4d2.exeC:\Users\Admin\AppData\Local\Temp\e57e4d2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\e57e4f1.exeC:\Users\Admin\AppData\Local\Temp\e57e4f1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3324
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e44711c4e6ce7231020b5f9b1c89e0c8
SHA1a57605199667f41d7adfc1ced132d6f8ca82c00b
SHA2568555afedb5b03888fd89f7b2dde5d94fb731db197ef908e94b9a2c5590a27d1d
SHA5120d5aab4673a2fa56baab7f73473b5eb2785f117518276379f38a4929886d54b35d4a564905ee0326885111d5c404702fd17736ce24f7073afb841c9c442ece2b
-
Filesize
257B
MD5912ffbf98c4886873b54c24ba79b898e
SHA17957cf86f1bc249b74d2c699dcb5e7c82b5e2d0c
SHA2567ea9bf9673476c6179dc7f3ed3bce467eb76acce5816464a2e679acaf5300a39
SHA512489795b81bae3334c72032b2d8cd2602811bf9d4f6490c8d82669658a1e1c19fe9330e5e65856676fc2f55dd3c8aff6a40ff534717209024424603c28824b36d