Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 01:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
278081c237457aae1adf9bf89b269490.dll
Resource
win7-20240220-en
windows7-x64
15 signatures
150 seconds
General
-
Target
278081c237457aae1adf9bf89b269490.dll
-
Size
120KB
-
MD5
278081c237457aae1adf9bf89b269490
-
SHA1
925da4535f3fabf8a054c6c0becc373c1bdd44a9
-
SHA256
84a6053f02280f23936da10437d8c18f0bebe8ca481d08c165cfa74c8936685b
-
SHA512
287890a4032a99fdfd1d969f9a528d68c912446e0535a5a3d523d24a7d99c17ffadaeab16ea02c05f5ed291b3ad2c0a78086e762f221bcb7683c3006f112103c
-
SSDEEP
1536:t4pd3AWNyzemHOzGwsOf0ZONUpcZ5OMS2gRe5qHT76fR+G5fZcUMutiqPHEu+/Sd:m8Ozt4vc6r2gU5qHT7U+y7DrIA
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577e67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577e67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57aa59.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa59.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aa59.exe -
Executes dropped EXE 4 IoCs
pid Process 4880 e577e67.exe 3000 e577fde.exe 3332 e57aa59.exe 4428 e57aa78.exe -
resource yara_rule behavioral2/memory/4880-6-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-11-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-9-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-22-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-8-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-10-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-19-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-34-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-35-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-33-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-12-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-37-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-36-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-38-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-39-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-40-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-58-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-59-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-60-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-62-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-64-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-66-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-67-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-69-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-71-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4880-93-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/3332-109-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3332-157-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aa59.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aa59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577e67.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aa59.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa59.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e577e67.exe File opened (read-only) \??\E: e57aa59.exe File opened (read-only) \??\G: e57aa59.exe File opened (read-only) \??\I: e57aa59.exe File opened (read-only) \??\E: e577e67.exe File opened (read-only) \??\H: e577e67.exe File opened (read-only) \??\M: e577e67.exe File opened (read-only) \??\G: e577e67.exe File opened (read-only) \??\I: e577e67.exe File opened (read-only) \??\H: e57aa59.exe File opened (read-only) \??\J: e57aa59.exe File opened (read-only) \??\J: e577e67.exe File opened (read-only) \??\K: e577e67.exe File opened (read-only) \??\L: e577e67.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e577e67.exe File created C:\Windows\e57d1c7 e57aa59.exe File created C:\Windows\e577ed5 e577e67.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4880 e577e67.exe 4880 e577e67.exe 4880 e577e67.exe 4880 e577e67.exe 3332 e57aa59.exe 3332 e57aa59.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe Token: SeDebugPrivilege 4880 e577e67.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2528 1868 rundll32.exe 82 PID 1868 wrote to memory of 2528 1868 rundll32.exe 82 PID 1868 wrote to memory of 2528 1868 rundll32.exe 82 PID 2528 wrote to memory of 4880 2528 rundll32.exe 83 PID 2528 wrote to memory of 4880 2528 rundll32.exe 83 PID 2528 wrote to memory of 4880 2528 rundll32.exe 83 PID 4880 wrote to memory of 780 4880 e577e67.exe 8 PID 4880 wrote to memory of 788 4880 e577e67.exe 9 PID 4880 wrote to memory of 336 4880 e577e67.exe 13 PID 4880 wrote to memory of 2596 4880 e577e67.exe 45 PID 4880 wrote to memory of 2812 4880 e577e67.exe 50 PID 4880 wrote to memory of 2056 4880 e577e67.exe 52 PID 4880 wrote to memory of 3352 4880 e577e67.exe 55 PID 4880 wrote to memory of 3516 4880 e577e67.exe 57 PID 4880 wrote to memory of 3720 4880 e577e67.exe 58 PID 4880 wrote to memory of 3816 4880 e577e67.exe 59 PID 4880 wrote to memory of 3880 4880 e577e67.exe 60 PID 4880 wrote to memory of 3964 4880 e577e67.exe 61 PID 4880 wrote to memory of 4712 4880 e577e67.exe 74 PID 4880 wrote to memory of 4612 4880 e577e67.exe 75 PID 4880 wrote to memory of 712 4880 e577e67.exe 79 PID 4880 wrote to memory of 5084 4880 e577e67.exe 80 PID 4880 wrote to memory of 1868 4880 e577e67.exe 81 PID 4880 wrote to memory of 2528 4880 e577e67.exe 82 PID 4880 wrote to memory of 2528 4880 e577e67.exe 82 PID 2528 wrote to memory of 3000 2528 rundll32.exe 84 PID 2528 wrote to memory of 3000 2528 rundll32.exe 84 PID 2528 wrote to memory of 3000 2528 rundll32.exe 84 PID 4880 wrote to memory of 780 4880 e577e67.exe 8 PID 4880 wrote to memory of 788 4880 e577e67.exe 9 PID 4880 wrote to memory of 336 4880 e577e67.exe 13 PID 4880 wrote to memory of 2596 4880 e577e67.exe 45 PID 4880 wrote to memory of 2812 4880 e577e67.exe 50 PID 4880 wrote to memory of 2056 4880 e577e67.exe 52 PID 4880 wrote to memory of 3352 4880 e577e67.exe 55 PID 4880 wrote to memory of 3516 4880 e577e67.exe 57 PID 4880 wrote to memory of 3720 4880 e577e67.exe 58 PID 4880 wrote to memory of 3816 4880 e577e67.exe 59 PID 4880 wrote to memory of 3880 4880 e577e67.exe 60 PID 4880 wrote to memory of 3964 4880 e577e67.exe 61 PID 4880 wrote to memory of 4712 4880 e577e67.exe 74 PID 4880 wrote to memory of 4612 4880 e577e67.exe 75 PID 4880 wrote to memory of 712 4880 e577e67.exe 79 PID 4880 wrote to memory of 5084 4880 e577e67.exe 80 PID 4880 wrote to memory of 1868 4880 e577e67.exe 81 PID 4880 wrote to memory of 3000 4880 e577e67.exe 84 PID 4880 wrote to memory of 3000 4880 e577e67.exe 84 PID 4880 wrote to memory of 3040 4880 e577e67.exe 86 PID 4880 wrote to memory of 1880 4880 e577e67.exe 87 PID 2528 wrote to memory of 3332 2528 rundll32.exe 88 PID 2528 wrote to memory of 3332 2528 rundll32.exe 88 PID 2528 wrote to memory of 3332 2528 rundll32.exe 88 PID 2528 wrote to memory of 4428 2528 rundll32.exe 89 PID 2528 wrote to memory of 4428 2528 rundll32.exe 89 PID 2528 wrote to memory of 4428 2528 rundll32.exe 89 PID 3332 wrote to memory of 780 3332 e57aa59.exe 8 PID 3332 wrote to memory of 788 3332 e57aa59.exe 9 PID 3332 wrote to memory of 336 3332 e57aa59.exe 13 PID 3332 wrote to memory of 2596 3332 e57aa59.exe 45 PID 3332 wrote to memory of 2812 3332 e57aa59.exe 50 PID 3332 wrote to memory of 2056 3332 e57aa59.exe 52 PID 3332 wrote to memory of 3352 3332 e57aa59.exe 55 PID 3332 wrote to memory of 3516 3332 e57aa59.exe 57 PID 3332 wrote to memory of 3720 3332 e57aa59.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa59.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2812
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2056
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3352
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\278081c237457aae1adf9bf89b269490.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\278081c237457aae1adf9bf89b269490.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\e577e67.exeC:\Users\Admin\AppData\Local\Temp\e577e67.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\e577fde.exeC:\Users\Admin\AppData\Local\Temp\e577fde.exe4⤵
- Executes dropped EXE
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\e57aa59.exeC:\Users\Admin\AppData\Local\Temp\e57aa59.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\e57aa78.exeC:\Users\Admin\AppData\Local\Temp\e57aa78.exe4⤵
- Executes dropped EXE
PID:4428
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3516
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3880
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3964
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4712
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4612
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:712
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1880
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d7ceab29bb3450d305e50a7b701a694b
SHA146021d7b5772b352ea015603aeac533d1874099d
SHA256ad7dd9926ae32146dcf161a680f28c10ef6d18031f4a7d0c9fd8fb3a1ac49af9
SHA512aa29a49ca617815930ee8a79b8d1af22eedffd10984639b13efdb8ae6ea337aa76cc7c22cf951f9ae06b5801867908887bd703a54e73462e0fc5daba7219afad
-
Filesize
257B
MD5ac9f772a81e7c10690da8801a3cc61bb
SHA11eb450c707ae1eb55000eda28a38455430d1e270
SHA25692593d72c1e958ab6a0cd4c4779a6660dc93299aa10260fa1d7cb6bdb4baf4c3
SHA5126e857f13313580b1f704a744c9a2e810a8cf00d766bab7625b4b5f3e48c0fc8ed09ad1c40dcec14cab773097ea36f435334afed3ce94473d8dc18a9bd239176f