Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 22:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
General
-
Target
63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe
-
Size
282KB
-
MD5
4e329b43d4d3d9ae7d34c2c93aa52ba9
-
SHA1
14347433cb7954222b901c8c18e7d4c040ae7ad0
-
SHA256
63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9
-
SHA512
72a92c55be81719693c1f80cc5d8c1716b7ffd210188474594477515b33868fc1eb51359356ce9259dfd8b3f9674516ecad28c305a274e5264579b9d68c9217a
-
SSDEEP
3072:SObjCPedQsoaRJU7KF+6aLK2IJqi6uS+gkDstXKJVqv8d0JG2wmVVW8wwWjwnCms:SXPEQaNJVYlNsJlsjzdjXYL9
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Detects executables containing possible sandbox analysis VM usernames 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023411-83.dat INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 15 IoCs
resource yara_rule behavioral2/memory/2176-5-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-9-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-7-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-12-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-20-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-33-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-38-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-43-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-49-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-62-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-58-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-53-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2176-166-0x00000000021A0000-0x000000000325A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/728-171-0x0000000002CB0000-0x0000000003D6A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/728-239-0x0000000002CB0000-0x0000000003D6A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 16 IoCs
resource yara_rule behavioral2/memory/2176-5-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-9-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-7-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-12-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-20-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-33-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-38-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-43-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-49-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-62-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-58-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-53-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/2176-165-0x0000000000400000-0x0000000000438000-memory.dmp UPX behavioral2/memory/2176-166-0x00000000021A0000-0x000000000325A000-memory.dmp UPX behavioral2/memory/728-171-0x0000000002CB0000-0x0000000003D6A000-memory.dmp UPX behavioral2/memory/728-239-0x0000000002CB0000-0x0000000003D6A000-memory.dmp UPX -
Blocklisted process makes network request 1 IoCs
flow pid Process 13 728 Rundll32.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation Rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 232 Rundll32.exe 728 Rundll32.exe 728 Rundll32.exe -
resource yara_rule behavioral2/memory/2176-5-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-9-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-7-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-12-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-20-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-33-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-38-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-43-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-49-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-62-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-58-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-53-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/2176-166-0x00000000021A0000-0x000000000325A000-memory.dmp upx behavioral2/memory/728-171-0x0000000002CB0000-0x0000000003D6A000-memory.dmp upx behavioral2/memory/728-239-0x0000000002CB0000-0x0000000003D6A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\E: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\P: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\M: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\O: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\S: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\L: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\I: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\R: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\E: Rundll32.exe File opened (read-only) \??\D: Rundll32.exe File opened (read-only) \??\H: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\G: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\T: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\U: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\Z: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\F: Rundll32.exe File opened (read-only) \??\N: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\V: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\X: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\K: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\Q: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\W: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\G: Rundll32.exe File opened (read-only) \??\J: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\slidmgaa.dll 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File created C:\Windows\SysWOW64\kbogmgaa.dll 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\AAV\CDriver.sys Rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57513d 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Windows\SYSTEM.INI 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File created C:\Windows\e57f695 Rundll32.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2440 sc.exe 2528 sc.exe 1916 sc.exe 1436 sc.exe 4296 sc.exe 3216 sc.exe 2348 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 232 Rundll32.exe 728 Rundll32.exe 728 Rundll32.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 728 Rundll32.exe 728 Rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 232 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 86 PID 2176 wrote to memory of 232 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 86 PID 2176 wrote to memory of 232 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 86 PID 232 wrote to memory of 3088 232 Rundll32.exe 87 PID 232 wrote to memory of 3088 232 Rundll32.exe 87 PID 232 wrote to memory of 3088 232 Rundll32.exe 87 PID 232 wrote to memory of 1220 232 Rundll32.exe 88 PID 232 wrote to memory of 1220 232 Rundll32.exe 88 PID 232 wrote to memory of 1220 232 Rundll32.exe 88 PID 232 wrote to memory of 2528 232 Rundll32.exe 89 PID 232 wrote to memory of 2528 232 Rundll32.exe 89 PID 232 wrote to memory of 2528 232 Rundll32.exe 89 PID 232 wrote to memory of 1916 232 Rundll32.exe 91 PID 232 wrote to memory of 1916 232 Rundll32.exe 91 PID 232 wrote to memory of 1916 232 Rundll32.exe 91 PID 2176 wrote to memory of 796 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 9 PID 2176 wrote to memory of 804 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 10 PID 2176 wrote to memory of 384 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 13 PID 232 wrote to memory of 1436 232 Rundll32.exe 92 PID 232 wrote to memory of 1436 232 Rundll32.exe 92 PID 232 wrote to memory of 1436 232 Rundll32.exe 92 PID 232 wrote to memory of 2348 232 Rundll32.exe 93 PID 232 wrote to memory of 2348 232 Rundll32.exe 93 PID 232 wrote to memory of 2348 232 Rundll32.exe 93 PID 232 wrote to memory of 3216 232 Rundll32.exe 94 PID 232 wrote to memory of 3216 232 Rundll32.exe 94 PID 232 wrote to memory of 3216 232 Rundll32.exe 94 PID 232 wrote to memory of 4296 232 Rundll32.exe 95 PID 232 wrote to memory of 4296 232 Rundll32.exe 95 PID 232 wrote to memory of 4296 232 Rundll32.exe 95 PID 232 wrote to memory of 2176 232 Rundll32.exe 85 PID 232 wrote to memory of 2176 232 Rundll32.exe 85 PID 2176 wrote to memory of 3052 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 50 PID 2176 wrote to memory of 3104 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 51 PID 2176 wrote to memory of 3184 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 52 PID 2176 wrote to memory of 3528 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 56 PID 2176 wrote to memory of 3668 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 57 PID 2176 wrote to memory of 3852 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 58 PID 2176 wrote to memory of 3948 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 59 PID 2176 wrote to memory of 4012 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 60 PID 2176 wrote to memory of 3168 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 61 PID 2176 wrote to memory of 4208 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 62 PID 2176 wrote to memory of 2900 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 64 PID 2176 wrote to memory of 5004 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 75 PID 2176 wrote to memory of 3540 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 81 PID 2176 wrote to memory of 4912 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 82 PID 2176 wrote to memory of 3664 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 83 PID 232 wrote to memory of 3088 232 Rundll32.exe 87 PID 232 wrote to memory of 3088 232 Rundll32.exe 87 PID 2176 wrote to memory of 232 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 86 PID 2176 wrote to memory of 232 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 86 PID 232 wrote to memory of 1220 232 Rundll32.exe 88 PID 232 wrote to memory of 1220 232 Rundll32.exe 88 PID 2176 wrote to memory of 3088 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 87 PID 232 wrote to memory of 2528 232 Rundll32.exe 89 PID 232 wrote to memory of 2528 232 Rundll32.exe 89 PID 2176 wrote to memory of 3088 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 87 PID 232 wrote to memory of 1916 232 Rundll32.exe 91 PID 232 wrote to memory of 1916 232 Rundll32.exe 91 PID 2176 wrote to memory of 1220 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 88 PID 232 wrote to memory of 1436 232 Rundll32.exe 92 PID 232 wrote to memory of 1436 232 Rundll32.exe 92 PID 2176 wrote to memory of 1220 2176 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 88 PID 232 wrote to memory of 2348 232 Rundll32.exe 93 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rundll32.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3104
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3184
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe"C:\Users\Admin\AppData\Local\Temp\63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\slidmgaa.dll Exxcute3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\net.exenet stop WinDefend4⤵PID:3088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2564
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵PID:2744
-
-
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵PID:1220
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:696
-
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
PID:2528
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
- Launches sc.exe
PID:1916
-
-
C:\Windows\SysWOW64\sc.exesc stop ZhuDongFangYu4⤵
- Launches sc.exe
PID:1436
-
-
C:\Windows\SysWOW64\sc.exesc delete ZhuDongFangYu4⤵
- Launches sc.exe
PID:2348
-
-
C:\Windows\SysWOW64\sc.exesc stop 360rp4⤵
- Launches sc.exe
PID:3216
-
-
C:\Windows\SysWOW64\sc.exesc delete 360rp4⤵
- Launches sc.exe
PID:4296
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent4⤵
- Launches sc.exe
PID:2440
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\kbogmgaa.dll Exucute3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Blocklisted process makes network request
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:728
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4012
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4208
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2900
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5004
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3540
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4912
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3664
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5eefe59f74029d4b0212c8bbee24aa604
SHA1f0b4a96f7a1ad1fcc83e82209ea629d4cc369c9a
SHA256ca3155911cbfa1dd0bab62592c1a99a2294161c189fa395d1996c920483fbb4c
SHA5129121890bf6b9586a88e2a6ffd81d63a92baa914d619f871341525287448c1c7b34db080769143a865b9920fa7d7283542d45cb7c106bb6e00115073613b2716d
-
Filesize
4.3MB
MD56c7cdd25c2cb0073306eb22aebfc663f
SHA1a1eba8ab49272b9852fe6a543677e8af36271248
SHA25658280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA51217344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6
-
Filesize
257B
MD5d9d6fff5a47426ff9e10fa41abee4a00
SHA13a425a5a0549e762d3d60e4cf649a8df0c0d2f61
SHA2564230f5996b5c94c33f20ade9152e9eac738c1b5b4d8fc5df4c34cb521c145884
SHA5126f7455e71344025c02116f6b093392f1961b91dc278d3e67422dd7d6eb89025378d20dfeebdaa26a13c3bb21320ce74ef347b7a41785b7ca5c61ecabc32b4bca
-
Filesize
22KB
MD5a3ef28ba7455d1c1d64dda9e671ceeb4
SHA1f38fb6d8a939f38e629be107669ba33c2d0a5490
SHA256ef23a1ba0b5705aa5fe4b3a2b155c793c0cb6d219ad53208ba29594e4693d978
SHA5129b6b25c880b5a73e9b165ac1019005dd4335e024fe7987fd562aa96ca74029b1c8c535938f5623dc223f1cf74f21b1b05c9361b52757267fdd1b34597bf89d3a
-
Filesize
76KB
MD5571b5bf943a03b56627aae4ccb0841d9
SHA1fc0d40a3ed252ab6440466dda2db2967df18e7c6
SHA2564afa0c12a66a020512ea1674be986ea7210f067c38612ac74bc766e86b4283e3
SHA512e43bf28477b2da4d07a7134a9a6c54ad1ec348b6dfe93fdc43370f4afc6cbec2540036e8b38b9a45d1a579292a60fcfab580ac8d1c4ecc7b59df333359edf578
-
Filesize
97KB
MD55e00c50bf43f89f678fa1e3fc6f246d5
SHA14aa8f90a45b03613e579adda64f806c04a8970d6
SHA256530e54df0cfee269cd9c12c172029ff89a0f31d77412de0d8cbb2c29c7896382
SHA512bb14bafc9b54f62ef1d097ccab2c2daca19fb41d94c1cd1dffbe1ae1891a39269cb67c9481eed51b0d9f6da77bc588d1e766e6bdc749a2a949a8007c6cf9bbc9