Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 00:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7fd3b32531a0003fbdcde9b444e21c0_NeikiAnalytics.dll
Resource
win7-20240508-en
windows7-x64
15 signatures
150 seconds
General
-
Target
a7fd3b32531a0003fbdcde9b444e21c0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
a7fd3b32531a0003fbdcde9b444e21c0
-
SHA1
31cb75ba701ece927a0445f68ea23cf899f20090
-
SHA256
0a18241b87c8d2b5a29e76988e76150666850e008a8b94dda413a67f8f925400
-
SHA512
5e1ff56f06ae6f052e6af0e9a6729b0d72792d20e798fc15a505c966fce034cf845dd5d1f436d008834ec5fe273ef249ab2998975c78a98d7949019843fb2257
-
SSDEEP
3072:btTGre8BZUe0uL74U6KnQOk6pmGFHSLq7:bRae8Ie0uL74Cnp1V
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576273.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576273.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5736bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576273.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576273.exe -
Executes dropped EXE 3 IoCs
pid Process 628 e5736bf.exe 3872 e573827.exe 4192 e576273.exe -
resource yara_rule behavioral2/memory/628-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-22-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-12-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-23-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-30-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-34-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-31-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-40-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-54-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-55-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-57-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-59-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-60-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-62-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-65-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-66-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/628-68-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4192-105-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4192-126-0x0000000000850000-0x000000000190A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576273.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5736bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576273.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576273.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5736bf.exe File opened (read-only) \??\H: e5736bf.exe File opened (read-only) \??\I: e5736bf.exe File opened (read-only) \??\J: e5736bf.exe File opened (read-only) \??\K: e5736bf.exe File opened (read-only) \??\N: e5736bf.exe File opened (read-only) \??\G: e5736bf.exe File opened (read-only) \??\L: e5736bf.exe File opened (read-only) \??\M: e5736bf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5736fe e5736bf.exe File opened for modification C:\Windows\SYSTEM.INI e5736bf.exe File created C:\Windows\e5789d1 e576273.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 628 e5736bf.exe 628 e5736bf.exe 628 e5736bf.exe 628 e5736bf.exe 4192 e576273.exe 4192 e576273.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe Token: SeDebugPrivilege 628 e5736bf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 1580 5076 rundll32.exe 82 PID 5076 wrote to memory of 1580 5076 rundll32.exe 82 PID 5076 wrote to memory of 1580 5076 rundll32.exe 82 PID 1580 wrote to memory of 628 1580 rundll32.exe 83 PID 1580 wrote to memory of 628 1580 rundll32.exe 83 PID 1580 wrote to memory of 628 1580 rundll32.exe 83 PID 628 wrote to memory of 776 628 e5736bf.exe 9 PID 628 wrote to memory of 784 628 e5736bf.exe 10 PID 628 wrote to memory of 1016 628 e5736bf.exe 13 PID 628 wrote to memory of 2888 628 e5736bf.exe 49 PID 628 wrote to memory of 3004 628 e5736bf.exe 51 PID 628 wrote to memory of 428 628 e5736bf.exe 53 PID 628 wrote to memory of 3412 628 e5736bf.exe 55 PID 628 wrote to memory of 3580 628 e5736bf.exe 57 PID 628 wrote to memory of 3764 628 e5736bf.exe 58 PID 628 wrote to memory of 3860 628 e5736bf.exe 59 PID 628 wrote to memory of 3924 628 e5736bf.exe 60 PID 628 wrote to memory of 4000 628 e5736bf.exe 61 PID 628 wrote to memory of 3568 628 e5736bf.exe 62 PID 628 wrote to memory of 3076 628 e5736bf.exe 73 PID 628 wrote to memory of 4932 628 e5736bf.exe 74 PID 628 wrote to memory of 3184 628 e5736bf.exe 79 PID 628 wrote to memory of 2384 628 e5736bf.exe 80 PID 628 wrote to memory of 5076 628 e5736bf.exe 81 PID 628 wrote to memory of 1580 628 e5736bf.exe 82 PID 628 wrote to memory of 1580 628 e5736bf.exe 82 PID 1580 wrote to memory of 3872 1580 rundll32.exe 84 PID 1580 wrote to memory of 3872 1580 rundll32.exe 84 PID 1580 wrote to memory of 3872 1580 rundll32.exe 84 PID 628 wrote to memory of 776 628 e5736bf.exe 9 PID 628 wrote to memory of 784 628 e5736bf.exe 10 PID 628 wrote to memory of 1016 628 e5736bf.exe 13 PID 628 wrote to memory of 2888 628 e5736bf.exe 49 PID 628 wrote to memory of 3004 628 e5736bf.exe 51 PID 628 wrote to memory of 428 628 e5736bf.exe 53 PID 628 wrote to memory of 3412 628 e5736bf.exe 55 PID 628 wrote to memory of 3580 628 e5736bf.exe 57 PID 628 wrote to memory of 3764 628 e5736bf.exe 58 PID 628 wrote to memory of 3860 628 e5736bf.exe 59 PID 628 wrote to memory of 3924 628 e5736bf.exe 60 PID 628 wrote to memory of 4000 628 e5736bf.exe 61 PID 628 wrote to memory of 3568 628 e5736bf.exe 62 PID 628 wrote to memory of 3076 628 e5736bf.exe 73 PID 628 wrote to memory of 4932 628 e5736bf.exe 74 PID 628 wrote to memory of 3184 628 e5736bf.exe 79 PID 628 wrote to memory of 2384 628 e5736bf.exe 80 PID 628 wrote to memory of 5076 628 e5736bf.exe 81 PID 628 wrote to memory of 3872 628 e5736bf.exe 84 PID 628 wrote to memory of 3872 628 e5736bf.exe 84 PID 628 wrote to memory of 1836 628 e5736bf.exe 86 PID 628 wrote to memory of 4128 628 e5736bf.exe 87 PID 1580 wrote to memory of 4192 1580 rundll32.exe 90 PID 1580 wrote to memory of 4192 1580 rundll32.exe 90 PID 1580 wrote to memory of 4192 1580 rundll32.exe 90 PID 4192 wrote to memory of 776 4192 e576273.exe 9 PID 4192 wrote to memory of 784 4192 e576273.exe 10 PID 4192 wrote to memory of 1016 4192 e576273.exe 13 PID 4192 wrote to memory of 2888 4192 e576273.exe 49 PID 4192 wrote to memory of 3004 4192 e576273.exe 51 PID 4192 wrote to memory of 428 4192 e576273.exe 53 PID 4192 wrote to memory of 3412 4192 e576273.exe 55 PID 4192 wrote to memory of 3580 4192 e576273.exe 57 PID 4192 wrote to memory of 3764 4192 e576273.exe 58 PID 4192 wrote to memory of 3860 4192 e576273.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576273.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3004
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7fd3b32531a0003fbdcde9b444e21c0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7fd3b32531a0003fbdcde9b444e21c0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\e5736bf.exeC:\Users\Admin\AppData\Local\Temp\e5736bf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\e573827.exeC:\Users\Admin\AppData\Local\Temp\e573827.exe4⤵
- Executes dropped EXE
PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\e576273.exeC:\Users\Admin\AppData\Local\Temp\e576273.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4192
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3568
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4932
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3184
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2384
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a05057ddbeeefbf5cc6c0bda9e1108ee
SHA1a4128b5010b39bd7cc91288cf013baf06fac8845
SHA256da212171428c24dc2c6ba4374665dcf0e67f63bd72b06ec2e834843af40e2974
SHA512421c8134953b7deb891d94a3f7f11907cdd1771d1ac39909b785c520eeb1f934a700d0768ee13f40207135229d513eac6f7e261f2976fdd0d31a437229d3c42c
-
Filesize
257B
MD51205ab1fa6fce7e3152bc81bd4b66873
SHA15a57e58801d9d77fb76628b04901b33b1ba5e147
SHA256c62dd8df923d0d072072095553a8a06c98fdcc834fe5cbb7198a443ff9e1462f
SHA51208d906c90bb6198558ff469675febcaab6fbed9a418508dcca3ff8ddce0d2b9764ceb91cea7834d6be965fe000b04f61e75f0f8ad759cd542ea9a3d170905d24