Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
5Static
static
3Release.zip
windows7-x64
Release.zip
windows10-2004-x64
1Release/bi...hql.js
windows7-x64
3Release/bi...hql.js
windows10-2004-x64
3Release/bi...ars.js
windows7-x64
3Release/bi...ars.js
windows10-2004-x64
3Release/bi...hcl.js
windows7-x64
3Release/bi...hcl.js
windows10-2004-x64
3Release/bi...tml.js
windows7-x64
3Release/bi...tml.js
windows10-2004-x64
3Release/bi...ini.js
windows7-x64
3Release/bi...ini.js
windows10-2004-x64
3Release/bi...ava.js
windows7-x64
3Release/bi...ava.js
windows10-2004-x64
3Release/bi...ipt.js
windows7-x64
3Release/bi...ipt.js
windows10-2004-x64
3Release/bi...lia.js
windows7-x64
3Release/bi...lia.js
windows10-2004-x64
3Release/bi...lin.js
windows7-x64
3Release/bi...lin.js
windows10-2004-x64
3Release/bi...ess.js
windows7-x64
3Release/bi...ess.js
windows10-2004-x64
3Release/bi...xon.js
windows7-x64
3Release/bi...xon.js
windows10-2004-x64
3Release/bi...lua.js
windows7-x64
3Release/bi...lua.js
windows10-2004-x64
3Release/bi.../m3.js
windows7-x64
3Release/bi.../m3.js
windows10-2004-x64
3Release/bi...own.js
windows7-x64
3Release/bi...own.js
windows10-2004-x64
3Release/bi...ips.js
windows7-x64
3Release/bi...ips.js
windows10-2004-x64
3Analysis
-
max time kernel
71s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
Release.zip
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
Release.zip
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/graphql/graphql.js
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/graphql/graphql.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/handlebars/handlebars.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral6
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/handlebars/handlebars.js
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/hcl/hcl.js
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral8
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/hcl/hcl.js
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/html/html.js
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral10
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/html/html.js
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/ini/ini.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/ini/ini.js
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/java/java.js
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral14
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/java/java.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/javascript/javascript.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/javascript/javascript.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/julia/julia.js
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral18
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/julia/julia.js
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/kotlin/kotlin.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/kotlin/kotlin.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/less/less.js
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral22
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/less/less.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/lexon/lexon.js
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral24
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/lexon/lexon.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/lua/lua.js
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral26
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/lua/lua.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/m3/m3.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral28
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/m3/m3.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/markdown/markdown.js
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral30
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/markdown/markdown.js
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/mips/mips.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
Release/bin/Monaco/package/dev/vs/basic-languages/mips/mips.js
Resource
win10v2004-20240611-en
windows10-2004-x64
Errors
General
-
Target
Release.zip
-
Size
25.7MB
-
MD5
83a069366d4fd8ce4cdafa26e691979d
-
SHA1
a1e7b78319d739ae5d9829c1fd619b76623b0cc2
-
SHA256
42801eb5aecd68c3d5577c65beb2866e846785b3eb43c6803b635993e6d657ae
-
SHA512
75731ee23f7fbe1424c92f7b7f74484596223913038ec4bf7f9470ef7c359ae7569956bb81cc05c43beb6c1dcc9baf78e5d9e3c405ec2d0da8abc75317188cc7
-
SSDEEP
786432:yL1CB39LSUHwfZxxBjKAXsB3OynmRrGbbe6:3B5lHwfZEusB3TnmRGbbd
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_AA0C859C00D44F35B8C07F474E793500.dat utilman.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_AA0C859C00D44F35B8C07F474E793500.dat utilman.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices utilman.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\System utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A} utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_AA0C859C00D44F35B8C07F474E793500.dat" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b} utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}\DeviceId = "{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}\Attributes\Technology = "MMSys" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon utilman.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}\DeviceName = "Speakers (High Definition Audio Device)" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}\Attributes utilman.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}\Attributes\Vendor = "Microsoft" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" utilman.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{67207ef4-f9c4-4a12-b3e9-11e4cef59a4b}\ = "Speakers (High Definition Audio Device)" utilman.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1608 utilman.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 1572 LogonUI.exe Token: SeShutdownPrivilege 1572 LogonUI.exe Token: SeSecurityPrivilege 1896 winlogon.exe Token: SeBackupPrivilege 1896 winlogon.exe Token: SeSecurityPrivilege 1896 winlogon.exe Token: SeTcbPrivilege 1896 winlogon.exe Token: SeShutdownPrivilege 1572 LogonUI.exe Token: SeShutdownPrivilege 1572 LogonUI.exe Token: SeShutdownPrivilege 1896 winlogon.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1896 wrote to memory of 1572 1896 winlogon.exe 38 PID 1896 wrote to memory of 1572 1896 winlogon.exe 38 PID 1896 wrote to memory of 1572 1896 winlogon.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1572 1784 csrss.exe 38 PID 1784 wrote to memory of 1608 1784 csrss.exe 39 PID 1784 wrote to memory of 1608 1784 csrss.exe 39 PID 1896 wrote to memory of 1608 1896 winlogon.exe 39 PID 1896 wrote to memory of 1608 1896 winlogon.exe 39 PID 1896 wrote to memory of 1608 1896 winlogon.exe 39 PID 1784 wrote to memory of 1608 1784 csrss.exe 39 PID 1784 wrote to memory of 1608 1784 csrss.exe 39
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Release.zip1⤵PID:1224
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:3008
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2404
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1784
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\system32\utilman.exeutilman.exe /debug2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1608
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:296
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1916