Analysis
-
max time kernel
31s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2025 13:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dbcb75526aeebf8af706dea66f356099481f454a0f787d984cfee67da886cff4.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
dbcb75526aeebf8af706dea66f356099481f454a0f787d984cfee67da886cff4.dll
-
Size
120KB
-
MD5
7ba167a2a477d7b567ea48cf82273e79
-
SHA1
7d7d4ddf5e6d6200272c56af96f3685d8252376a
-
SHA256
dbcb75526aeebf8af706dea66f356099481f454a0f787d984cfee67da886cff4
-
SHA512
16d19c513043d95eee0bc14bf81c3cb80bcc5c612b5fb021fec34e0daaa2fdaa246a7ca53e3228f7b5a3fb9319e22922236ba61c4f26663fdd52f51fe1cffe66
-
SSDEEP
3072:VEgVV7VOvSMIlJxeJsBcQpCzxUamtiCFm:VhDsIP0JA8FUaOi/
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577119.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577119.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578fdc.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577119.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578fdc.exe -
Executes dropped EXE 3 IoCs
pid Process 4992 e577119.exe 1328 e5772af.exe 1072 e578fdc.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578fdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578fdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577119.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578fdc.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fdc.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e578fdc.exe File opened (read-only) \??\I: e578fdc.exe File opened (read-only) \??\H: e577119.exe File opened (read-only) \??\L: e577119.exe File opened (read-only) \??\N: e577119.exe File opened (read-only) \??\K: e577119.exe File opened (read-only) \??\O: e577119.exe File opened (read-only) \??\E: e578fdc.exe File opened (read-only) \??\H: e578fdc.exe File opened (read-only) \??\G: e577119.exe File opened (read-only) \??\I: e577119.exe File opened (read-only) \??\J: e577119.exe File opened (read-only) \??\E: e577119.exe File opened (read-only) \??\M: e577119.exe File opened (read-only) \??\J: e578fdc.exe -
resource yara_rule behavioral2/memory/4992-12-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-26-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-30-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-25-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-34-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-32-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-41-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-55-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-61-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-63-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-64-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-65-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-67-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-70-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-73-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-76-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4992-79-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1072-113-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1072-151-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1072-152-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e577119.exe File opened for modification C:\Program Files\7-Zip\7z.exe e577119.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577119.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577186 e577119.exe File opened for modification C:\Windows\SYSTEM.INI e577119.exe File created C:\Windows\e57c38e e578fdc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5772af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578fdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577119.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4992 e577119.exe 4992 e577119.exe 4992 e577119.exe 4992 e577119.exe 1072 e578fdc.exe 1072 e578fdc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe Token: SeDebugPrivilege 4992 e577119.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3572 wrote to memory of 1680 3572 rundll32.exe 82 PID 3572 wrote to memory of 1680 3572 rundll32.exe 82 PID 3572 wrote to memory of 1680 3572 rundll32.exe 82 PID 1680 wrote to memory of 4992 1680 rundll32.exe 84 PID 1680 wrote to memory of 4992 1680 rundll32.exe 84 PID 1680 wrote to memory of 4992 1680 rundll32.exe 84 PID 4992 wrote to memory of 776 4992 e577119.exe 8 PID 4992 wrote to memory of 784 4992 e577119.exe 9 PID 4992 wrote to memory of 1020 4992 e577119.exe 13 PID 4992 wrote to memory of 2916 4992 e577119.exe 49 PID 4992 wrote to memory of 2940 4992 e577119.exe 50 PID 4992 wrote to memory of 2116 4992 e577119.exe 52 PID 4992 wrote to memory of 3332 4992 e577119.exe 56 PID 4992 wrote to memory of 3532 4992 e577119.exe 57 PID 4992 wrote to memory of 3740 4992 e577119.exe 58 PID 4992 wrote to memory of 3836 4992 e577119.exe 59 PID 4992 wrote to memory of 3896 4992 e577119.exe 60 PID 4992 wrote to memory of 3984 4992 e577119.exe 61 PID 4992 wrote to memory of 3652 4992 e577119.exe 62 PID 4992 wrote to memory of 2620 4992 e577119.exe 73 PID 4992 wrote to memory of 4748 4992 e577119.exe 75 PID 4992 wrote to memory of 3512 4992 e577119.exe 79 PID 4992 wrote to memory of 2776 4992 e577119.exe 80 PID 4992 wrote to memory of 3572 4992 e577119.exe 81 PID 4992 wrote to memory of 1680 4992 e577119.exe 82 PID 4992 wrote to memory of 1680 4992 e577119.exe 82 PID 4992 wrote to memory of 3636 4992 e577119.exe 83 PID 1680 wrote to memory of 1328 1680 rundll32.exe 85 PID 1680 wrote to memory of 1328 1680 rundll32.exe 85 PID 1680 wrote to memory of 1328 1680 rundll32.exe 85 PID 1680 wrote to memory of 1072 1680 rundll32.exe 88 PID 1680 wrote to memory of 1072 1680 rundll32.exe 88 PID 1680 wrote to memory of 1072 1680 rundll32.exe 88 PID 4992 wrote to memory of 776 4992 e577119.exe 8 PID 4992 wrote to memory of 784 4992 e577119.exe 9 PID 4992 wrote to memory of 1020 4992 e577119.exe 13 PID 4992 wrote to memory of 2916 4992 e577119.exe 49 PID 4992 wrote to memory of 2940 4992 e577119.exe 50 PID 4992 wrote to memory of 2116 4992 e577119.exe 52 PID 4992 wrote to memory of 3332 4992 e577119.exe 56 PID 4992 wrote to memory of 3532 4992 e577119.exe 57 PID 4992 wrote to memory of 3740 4992 e577119.exe 58 PID 4992 wrote to memory of 3836 4992 e577119.exe 59 PID 4992 wrote to memory of 3896 4992 e577119.exe 60 PID 4992 wrote to memory of 3984 4992 e577119.exe 61 PID 4992 wrote to memory of 3652 4992 e577119.exe 62 PID 4992 wrote to memory of 2620 4992 e577119.exe 73 PID 4992 wrote to memory of 4748 4992 e577119.exe 75 PID 4992 wrote to memory of 3512 4992 e577119.exe 79 PID 4992 wrote to memory of 2776 4992 e577119.exe 80 PID 4992 wrote to memory of 1328 4992 e577119.exe 85 PID 4992 wrote to memory of 1328 4992 e577119.exe 85 PID 4992 wrote to memory of 4608 4992 e577119.exe 86 PID 4992 wrote to memory of 5088 4992 e577119.exe 87 PID 4992 wrote to memory of 1072 4992 e577119.exe 88 PID 4992 wrote to memory of 1072 4992 e577119.exe 88 PID 1072 wrote to memory of 776 1072 e578fdc.exe 8 PID 1072 wrote to memory of 784 1072 e578fdc.exe 9 PID 1072 wrote to memory of 1020 1072 e578fdc.exe 13 PID 1072 wrote to memory of 2916 1072 e578fdc.exe 49 PID 1072 wrote to memory of 2940 1072 e578fdc.exe 50 PID 1072 wrote to memory of 2116 1072 e578fdc.exe 52 PID 1072 wrote to memory of 3332 1072 e578fdc.exe 56 PID 1072 wrote to memory of 3532 1072 e578fdc.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fdc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2940
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2116
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3332
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbcb75526aeebf8af706dea66f356099481f454a0f787d984cfee67da886cff4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbcb75526aeebf8af706dea66f356099481f454a0f787d984cfee67da886cff4.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\e577119.exeC:\Users\Admin\AppData\Local\Temp\e577119.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\e5772af.exeC:\Users\Admin\AppData\Local\Temp\e5772af.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\e578fdc.exeC:\Users\Admin\AppData\Local\Temp\e578fdc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1072
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3652
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4748
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3512
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2776
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3636
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4608
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5088
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c0081356aa7eb83b569d1dc436539689
SHA1d2fb32ae802241f45b6718a7de81677ad4b42fb9
SHA256fbc155647df3e3c2a2a46ba030b9313fb2b13836b7e7dfffde8145c569e875e5
SHA5128637cda220d3ef7a7a3689cfb93bd39af19cf28f05eba3e5176802d011c0d64422c14477a8096b3df902147318cb26c5ffe2c9ccdd779baeddb86817e90f8a38
-
Filesize
257B
MD581f855c64210ad52b73cbfea1004e927
SHA109165fd36edf04fedccab7ce61f6dde58bcdb794
SHA256f4932dfc9ea78923e666e4154c066180b359e736bfae5fc32b3f23833ab3df9a
SHA512710276822198c08aa2337bbf559caca20843b8c933a808c01315b9466fa9de3dff15f6c3b43a2051e913ee6cd4331e73e6789ea88ed46b2221a8d04e5bb6f307