Source: Yara match |
File source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe, type: SAMPLE |
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe, type: SAMPLE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: classification engine |
Classification label: mal56.expl.winEXE@0/0@0/0 |
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe |
String found in binary or memory: id-cmc-addExtensions |
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe |
String found in binary or memory: set-addPolicy |
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe |
String found in binary or memory: #G $G*SeDebugPrivilegentdll.dllNtQuerySystemInformationNtQueryObjectNtQuerySectionkernel32.dllNtWow64QueryInformationProcess64NtWow64ReadVirtualMemory64A:\SystemRoot\??\UnmapViewOfFile [-] Can't kill whitelist process (%s - pid:%i), file: %s[*] Killing blocking process (%s - pid:%i), file: %sRstrtmgr.dll [-] Restart manager not loaded! Code %lu.ntdllNtSetInformationProcessNtQueryInformationProcess [-] Unlock file failed: %s. Code %lu. [-] RmStartSession failed. Error = %i. Code %lu. [-] RmRegisterResources failed. Error = %i. Code %lu. [-] RmGetList failed. Error = %i. Code %lu.[*] Killing blocking process: %s (%s - pid:%i) [-] Failed to kill process pid:%i. Code %lu.[*] Service: %sSYSTEM\CurrentControlSet\Services\Start [-] Failed to disable service: %s! Code %lu.[*] Process: %sspoolsv.exesihost.exefontdrvhost.execmd.exedwm.exeLogonUI.exelsass.execsrss.exesmss.exewinlogon.exeservices.execonhost.exeeverything.exe[+] Success run: %s (pid:%i)[+] Failed to run: %s! Code %lu.abcdefghijklmnopqrstuvwxyzLocal_ABCDEF0123456789XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXWhosYourBunny[*] CLONE INFO: I'm a clone![*] CLONE INFO: I'm original process!"%1" %*Software\Classes\exefile\shell\open\command[+] Auto-elevation success.\AppData\ [-] Auto-elevation failed! Code %lu.[+] Re-launch success. [-] Re-launch failed! Code %lu.[+] Command execution completed.\*[+] OK Copy: %s => %s [-] Failed! Copy: %s = |
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe |
String found in binary or memory: %s. Code %lu.*.exe*.iniSOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINEHKEY_CURRENT_USER[+] Autorun added success => %s\%s [-] Failed to write autorun value. Code %lu. [-] Failed to create autorun key. Code %lu.ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "%s" & cd /d "%s" & Del /f /q /a *.exe *.batcmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "%s" & cd /d "%s" & Del /f /q /a *.exe *.ini *.dll *.bat *.db[*] Process (high RAM): %ssqlbackupdatabase[*] Added process: %s (%s)[*] Added service: %s [-] Failed to get active session Id. Code %lu [-] CreateToolhelp32Snapshot failed. Code %luexplorer.exe [-] Couldn't find explorer [-] Failed to open explorer. Code %lu [-] Failed to duplicate token. Code %ludeque<T> too longFileSectionntuser.dat[*] LOCAL: %i dirs processed.[*] NETWORK: %i dirs processed. [-] FindFirstFile fails in directory %s. Code %lu.\Everything.exe\Everything2.ini\Everything.ini" -startup [-] Cannot find everything engine: %s!\Program Files\Everything\Program Files (x86)\Everything[*] Everything Setup...Everything.exewevtutil.exe cl securitywevtutil.exe cl systemwevtutil.exe cl application!*.<file: |
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe |
Static file information: File size 2522231 > 1048576 |