Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2023, 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
补丁校验包制作工具.exe
Resource
win7-20230220-en
windows7-x64
16 signatures
150 seconds
General
-
Target
补丁校验包制作工具.exe
-
Size
140KB
-
MD5
ab77792d3b90f5f2c298d4e42a9a09ec
-
SHA1
3e51a53026c60e4d32acab488a8f25df558297e7
-
SHA256
0b87fb9be9cc8adedbd6d747cf7fe25ff324659cb006f05d9716218d98c7adc9
-
SHA512
f53c74bac8d67a8b7eeb1364ed3707e2588af619592e4b2eaca65e7e9bdb15e4ce3687654e114a88bc448fadeff5ccbc6cc53076a0c6806104835eca3b5975b4
-
SSDEEP
3072:XPu20auEel8JNfp0IVoBArO8LRfLYSvVhrTJOU:XO/cKAdfL7vVhnR
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 补丁校验包制作工具.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 补丁校验包制作工具.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 补丁校验包制作工具.exe -
resource yara_rule behavioral2/memory/1652-134-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-136-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-137-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-141-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-142-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-143-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-144-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-145-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-147-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-148-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-149-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-150-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-151-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-152-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-154-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-155-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-156-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-158-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-160-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-162-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-164-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-166-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-174-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-176-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-177-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-179-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-180-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-181-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-182-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-183-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-186-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-191-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-192-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-194-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-196-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-199-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-200-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-201-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-203-0x00000000023A0000-0x000000000342E000-memory.dmp upx behavioral2/memory/1652-205-0x00000000023A0000-0x000000000342E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 补丁校验包制作工具.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 补丁校验包制作工具.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 补丁校验包制作工具.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 补丁校验包制作工具.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 补丁校验包制作工具.exe File opened (read-only) \??\O: 补丁校验包制作工具.exe File opened (read-only) \??\T: 补丁校验包制作工具.exe File opened (read-only) \??\Z: 补丁校验包制作工具.exe File opened (read-only) \??\G: 补丁校验包制作工具.exe File opened (read-only) \??\L: 补丁校验包制作工具.exe File opened (read-only) \??\M: 补丁校验包制作工具.exe File opened (read-only) \??\K: 补丁校验包制作工具.exe File opened (read-only) \??\P: 补丁校验包制作工具.exe File opened (read-only) \??\I: 补丁校验包制作工具.exe File opened (read-only) \??\J: 补丁校验包制作工具.exe File opened (read-only) \??\Q: 补丁校验包制作工具.exe File opened (read-only) \??\V: 补丁校验包制作工具.exe File opened (read-only) \??\X: 补丁校验包制作工具.exe File opened (read-only) \??\E: 补丁校验包制作工具.exe File opened (read-only) \??\F: 补丁校验包制作工具.exe File opened (read-only) \??\H: 补丁校验包制作工具.exe File opened (read-only) \??\Y: 补丁校验包制作工具.exe File opened (read-only) \??\R: 补丁校验包制作工具.exe File opened (read-only) \??\S: 补丁校验包制作工具.exe File opened (read-only) \??\W: 补丁校验包制作工具.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 补丁校验包制作工具.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 补丁校验包制作工具.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 补丁校验包制作工具.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 补丁校验包制作工具.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe Token: SeDebugPrivilege 1652 补丁校验包制作工具.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1652 补丁校验包制作工具.exe 1652 补丁校验包制作工具.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 808 1652 补丁校验包制作工具.exe 9 PID 1652 wrote to memory of 816 1652 补丁校验包制作工具.exe 10 PID 1652 wrote to memory of 1016 1652 补丁校验包制作工具.exe 11 PID 1652 wrote to memory of 2332 1652 补丁校验包制作工具.exe 42 PID 1652 wrote to memory of 2340 1652 补丁校验包制作工具.exe 41 PID 1652 wrote to memory of 2444 1652 补丁校验包制作工具.exe 44 PID 1652 wrote to memory of 2416 1652 补丁校验包制作工具.exe 54 PID 1652 wrote to memory of 3292 1652 补丁校验包制作工具.exe 55 PID 1652 wrote to memory of 3464 1652 补丁校验包制作工具.exe 57 PID 1652 wrote to memory of 3612 1652 补丁校验包制作工具.exe 59 PID 1652 wrote to memory of 3676 1652 补丁校验包制作工具.exe 58 PID 1652 wrote to memory of 3804 1652 补丁校验包制作工具.exe 60 PID 1652 wrote to memory of 3992 1652 补丁校验包制作工具.exe 61 PID 1652 wrote to memory of 4828 1652 补丁校验包制作工具.exe 80 PID 1652 wrote to memory of 1276 1652 补丁校验包制作工具.exe 71 PID 1652 wrote to memory of 808 1652 补丁校验包制作工具.exe 9 PID 1652 wrote to memory of 816 1652 补丁校验包制作工具.exe 10 PID 1652 wrote to memory of 1016 1652 补丁校验包制作工具.exe 11 PID 1652 wrote to memory of 2332 1652 补丁校验包制作工具.exe 42 PID 1652 wrote to memory of 2340 1652 补丁校验包制作工具.exe 41 PID 1652 wrote to memory of 2444 1652 补丁校验包制作工具.exe 44 PID 1652 wrote to memory of 2416 1652 补丁校验包制作工具.exe 54 PID 1652 wrote to memory of 3292 1652 补丁校验包制作工具.exe 55 PID 1652 wrote to memory of 3464 1652 补丁校验包制作工具.exe 57 PID 1652 wrote to memory of 3612 1652 补丁校验包制作工具.exe 59 PID 1652 wrote to memory of 3676 1652 补丁校验包制作工具.exe 58 PID 1652 wrote to memory of 3804 1652 补丁校验包制作工具.exe 60 PID 1652 wrote to memory of 3992 1652 补丁校验包制作工具.exe 61 PID 1652 wrote to memory of 4828 1652 补丁校验包制作工具.exe 80 PID 1652 wrote to memory of 808 1652 补丁校验包制作工具.exe 9 PID 1652 wrote to memory of 816 1652 补丁校验包制作工具.exe 10 PID 1652 wrote to memory of 1016 1652 补丁校验包制作工具.exe 11 PID 1652 wrote to memory of 2332 1652 补丁校验包制作工具.exe 42 PID 1652 wrote to memory of 2340 1652 补丁校验包制作工具.exe 41 PID 1652 wrote to memory of 2444 1652 补丁校验包制作工具.exe 44 PID 1652 wrote to memory of 2416 1652 补丁校验包制作工具.exe 54 PID 1652 wrote to memory of 3292 1652 补丁校验包制作工具.exe 55 PID 1652 wrote to memory of 3464 1652 补丁校验包制作工具.exe 57 PID 1652 wrote to memory of 3612 1652 补丁校验包制作工具.exe 59 PID 1652 wrote to memory of 3676 1652 补丁校验包制作工具.exe 58 PID 1652 wrote to memory of 3804 1652 补丁校验包制作工具.exe 60 PID 1652 wrote to memory of 3992 1652 补丁校验包制作工具.exe 61 PID 1652 wrote to memory of 4828 1652 补丁校验包制作工具.exe 80 PID 1652 wrote to memory of 808 1652 补丁校验包制作工具.exe 9 PID 1652 wrote to memory of 816 1652 补丁校验包制作工具.exe 10 PID 1652 wrote to memory of 1016 1652 补丁校验包制作工具.exe 11 PID 1652 wrote to memory of 2332 1652 补丁校验包制作工具.exe 42 PID 1652 wrote to memory of 2340 1652 补丁校验包制作工具.exe 41 PID 1652 wrote to memory of 2444 1652 补丁校验包制作工具.exe 44 PID 1652 wrote to memory of 2416 1652 补丁校验包制作工具.exe 54 PID 1652 wrote to memory of 3292 1652 补丁校验包制作工具.exe 55 PID 1652 wrote to memory of 3464 1652 补丁校验包制作工具.exe 57 PID 1652 wrote to memory of 3612 1652 补丁校验包制作工具.exe 59 PID 1652 wrote to memory of 3676 1652 补丁校验包制作工具.exe 58 PID 1652 wrote to memory of 3804 1652 补丁校验包制作工具.exe 60 PID 1652 wrote to memory of 3992 1652 补丁校验包制作工具.exe 61 PID 1652 wrote to memory of 4828 1652 补丁校验包制作工具.exe 80 PID 1652 wrote to memory of 808 1652 补丁校验包制作工具.exe 9 PID 1652 wrote to memory of 816 1652 补丁校验包制作工具.exe 10 PID 1652 wrote to memory of 1016 1652 补丁校验包制作工具.exe 11 PID 1652 wrote to memory of 2332 1652 补丁校验包制作工具.exe 42 PID 1652 wrote to memory of 2340 1652 补丁校验包制作工具.exe 41 PID 1652 wrote to memory of 2444 1652 补丁校验包制作工具.exe 44 PID 1652 wrote to memory of 2416 1652 补丁校验包制作工具.exe 54 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 补丁校验包制作工具.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2340
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2332
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2444
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\补丁校验包制作工具.exe"C:\Users\Admin\AppData\Local\Temp\补丁校验包制作工具.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3292
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3464
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3676
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3612
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1276
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD56be4ee66547d76f5e9d0a75eff19fbc3
SHA1e5604fa7eff27274d4ac17108c2bdd1f0ad3a6d9
SHA25642c461987d9e49d3760026de581fef6b537634dfba9cada0c02aa117549cf88d
SHA512a1b7ef0eaa8e865de9ef4983d03b0951e798ce08190bf4d7f2bfe6069a05a41f50640985449f62ee2b384d452242af908d1c1a05a7ae26cdfe06f6200b20a8c0