Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2025 05:03
Static task
static1
Behavioral task
behavioral1
Sample
1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe
Resource
win7-20240903-en
General
-
Target
1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe
-
Size
1.5MB
-
MD5
a6fdb26fd84d554f3588b8b64fc5bc50
-
SHA1
bfa724cf8f09b7c07deb32f4973b9a43b7b1eac0
-
SHA256
1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbf
-
SHA512
ede3a78d935e99e4de1d0012a036b62d5bc90bf40454895498e73eb759f409cdbb35ea163ed7cca8ce1c3ad235158abd269f560e1e629e401e39e122ba1912f1
-
SSDEEP
24576:3rKxoVT2iXc+KZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7Pcd:WBZ5pdqYH8ia6GcKuR7Pcd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
resource yara_rule behavioral2/memory/3436-3-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-1-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-6-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-8-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-9-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-11-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-31-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-10-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-7-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-5-0x00000000022F0000-0x00000000033AA000-memory.dmp upx behavioral2/memory/3436-4-0x00000000022F0000-0x00000000033AA000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e579e34 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe File opened for modification C:\Windows\SYSTEM.INI 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe Token: SeDebugPrivilege 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3436 wrote to memory of 800 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 9 PID 3436 wrote to memory of 808 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 10 PID 3436 wrote to memory of 316 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 13 PID 3436 wrote to memory of 2824 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 50 PID 3436 wrote to memory of 2916 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 51 PID 3436 wrote to memory of 672 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 53 PID 3436 wrote to memory of 3480 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 56 PID 3436 wrote to memory of 3588 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 57 PID 3436 wrote to memory of 3792 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 58 PID 3436 wrote to memory of 3884 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 59 PID 3436 wrote to memory of 3980 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 60 PID 3436 wrote to memory of 4076 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 61 PID 3436 wrote to memory of 4112 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 62 PID 3436 wrote to memory of 3412 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 74 PID 3436 wrote to memory of 2196 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 76 PID 3436 wrote to memory of 4524 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 80 PID 3436 wrote to memory of 3196 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 81 PID 3436 wrote to memory of 2008 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 83 PID 3436 wrote to memory of 540 3436 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2916
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe"C:\Users\Admin\AppData\Local\Temp\1d80f332afab1c5d468e5bbe8b255152b8a9af73bb4fd43364c6334bbfcadbbfN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3436 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2008
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3412
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2196
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4524
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3196
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5