Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 07:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a4823e7373d249fa9e1863519811f150N.dll
Resource
win7-20240704-en
windows7-x64
15 signatures
120 seconds
General
-
Target
a4823e7373d249fa9e1863519811f150N.dll
-
Size
120KB
-
MD5
a4823e7373d249fa9e1863519811f150
-
SHA1
2a9642310f6e005d01bf7f8ca292df39d780f8ea
-
SHA256
1a30cddaee9769a65035e903875cd3a027bb51fbc5966d84caa58ad34cc74847
-
SHA512
7fc345ee0db83deb244d5b824f6c6705ed190d9ca3dc7722175e9aa05264b34bef446e38f1ecc712432b7570eb36fc0cc14b858103af1970fb88a575e1ef84c1
-
SSDEEP
3072:VkhWKfycRn3i0+x70hWCuVl/+ckztD7cosp:xKfjRnSp70wmRztD7s
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579d59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579d59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57be10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57be10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57be10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579d59.exe -
Executes dropped EXE 4 IoCs
pid Process 4596 e579d59.exe 1156 e579ea1.exe 4220 e57bdf1.exe 3612 e57be10.exe -
resource yara_rule behavioral2/memory/4596-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-30-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-23-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-28-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-22-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-34-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-40-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-42-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-56-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-57-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-71-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-72-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-75-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-76-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-80-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-81-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-82-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-83-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-84-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-87-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4596-90-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3612-121-0x0000000000B70000-0x0000000001C2A000-memory.dmp upx behavioral2/memory/3612-161-0x0000000000B70000-0x0000000001C2A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57be10.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579d59.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57be10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be10.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e579d59.exe File opened (read-only) \??\N: e579d59.exe File opened (read-only) \??\E: e579d59.exe File opened (read-only) \??\H: e579d59.exe File opened (read-only) \??\P: e579d59.exe File opened (read-only) \??\Q: e579d59.exe File opened (read-only) \??\K: e579d59.exe File opened (read-only) \??\M: e579d59.exe File opened (read-only) \??\E: e57be10.exe File opened (read-only) \??\G: e57be10.exe File opened (read-only) \??\H: e57be10.exe File opened (read-only) \??\I: e579d59.exe File opened (read-only) \??\J: e579d59.exe File opened (read-only) \??\L: e579d59.exe File opened (read-only) \??\O: e579d59.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e579d59.exe File opened for modification C:\Program Files\7-Zip\7z.exe e579d59.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e579d59.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579da7 e579d59.exe File opened for modification C:\Windows\SYSTEM.INI e579d59.exe File created C:\Windows\e57ed8c e57be10.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4596 e579d59.exe 4596 e579d59.exe 4596 e579d59.exe 4596 e579d59.exe 3612 e57be10.exe 3612 e57be10.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe Token: SeDebugPrivilege 4596 e579d59.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 4448 2416 rundll32.exe 83 PID 2416 wrote to memory of 4448 2416 rundll32.exe 83 PID 2416 wrote to memory of 4448 2416 rundll32.exe 83 PID 4448 wrote to memory of 4596 4448 rundll32.exe 84 PID 4448 wrote to memory of 4596 4448 rundll32.exe 84 PID 4448 wrote to memory of 4596 4448 rundll32.exe 84 PID 4596 wrote to memory of 808 4596 e579d59.exe 9 PID 4596 wrote to memory of 816 4596 e579d59.exe 10 PID 4596 wrote to memory of 1016 4596 e579d59.exe 13 PID 4596 wrote to memory of 2568 4596 e579d59.exe 44 PID 4596 wrote to memory of 2580 4596 e579d59.exe 45 PID 4596 wrote to memory of 2740 4596 e579d59.exe 46 PID 4596 wrote to memory of 3520 4596 e579d59.exe 56 PID 4596 wrote to memory of 3648 4596 e579d59.exe 57 PID 4596 wrote to memory of 3844 4596 e579d59.exe 58 PID 4596 wrote to memory of 3940 4596 e579d59.exe 59 PID 4596 wrote to memory of 4004 4596 e579d59.exe 60 PID 4596 wrote to memory of 692 4596 e579d59.exe 61 PID 4596 wrote to memory of 3532 4596 e579d59.exe 62 PID 4596 wrote to memory of 2128 4596 e579d59.exe 64 PID 4596 wrote to memory of 2508 4596 e579d59.exe 76 PID 4596 wrote to memory of 776 4596 e579d59.exe 80 PID 4596 wrote to memory of 4760 4596 e579d59.exe 81 PID 4596 wrote to memory of 2416 4596 e579d59.exe 82 PID 4596 wrote to memory of 4448 4596 e579d59.exe 83 PID 4596 wrote to memory of 4448 4596 e579d59.exe 83 PID 4448 wrote to memory of 1156 4448 rundll32.exe 85 PID 4448 wrote to memory of 1156 4448 rundll32.exe 85 PID 4448 wrote to memory of 1156 4448 rundll32.exe 85 PID 4448 wrote to memory of 4220 4448 rundll32.exe 89 PID 4448 wrote to memory of 4220 4448 rundll32.exe 89 PID 4448 wrote to memory of 4220 4448 rundll32.exe 89 PID 4448 wrote to memory of 3612 4448 rundll32.exe 90 PID 4448 wrote to memory of 3612 4448 rundll32.exe 90 PID 4448 wrote to memory of 3612 4448 rundll32.exe 90 PID 4596 wrote to memory of 808 4596 e579d59.exe 9 PID 4596 wrote to memory of 816 4596 e579d59.exe 10 PID 4596 wrote to memory of 1016 4596 e579d59.exe 13 PID 4596 wrote to memory of 2568 4596 e579d59.exe 44 PID 4596 wrote to memory of 2580 4596 e579d59.exe 45 PID 4596 wrote to memory of 2740 4596 e579d59.exe 46 PID 4596 wrote to memory of 3520 4596 e579d59.exe 56 PID 4596 wrote to memory of 3648 4596 e579d59.exe 57 PID 4596 wrote to memory of 3844 4596 e579d59.exe 58 PID 4596 wrote to memory of 3940 4596 e579d59.exe 59 PID 4596 wrote to memory of 4004 4596 e579d59.exe 60 PID 4596 wrote to memory of 692 4596 e579d59.exe 61 PID 4596 wrote to memory of 3532 4596 e579d59.exe 62 PID 4596 wrote to memory of 2128 4596 e579d59.exe 64 PID 4596 wrote to memory of 2508 4596 e579d59.exe 76 PID 4596 wrote to memory of 776 4596 e579d59.exe 80 PID 4596 wrote to memory of 1156 4596 e579d59.exe 85 PID 4596 wrote to memory of 1156 4596 e579d59.exe 85 PID 4596 wrote to memory of 2596 4596 e579d59.exe 87 PID 4596 wrote to memory of 3720 4596 e579d59.exe 88 PID 4596 wrote to memory of 4220 4596 e579d59.exe 89 PID 4596 wrote to memory of 4220 4596 e579d59.exe 89 PID 4596 wrote to memory of 3612 4596 e579d59.exe 90 PID 4596 wrote to memory of 3612 4596 e579d59.exe 90 PID 3612 wrote to memory of 808 3612 e57be10.exe 9 PID 3612 wrote to memory of 816 3612 e57be10.exe 10 PID 3612 wrote to memory of 1016 3612 e57be10.exe 13 PID 3612 wrote to memory of 2568 3612 e57be10.exe 44 PID 3612 wrote to memory of 2580 3612 e57be10.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d59.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2580
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2740
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4823e7373d249fa9e1863519811f150N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4823e7373d249fa9e1863519811f150N.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\e579d59.exeC:\Users\Admin\AppData\Local\Temp\e579d59.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\e579ea1.exeC:\Users\Admin\AppData\Local\Temp\e579ea1.exe4⤵
- Executes dropped EXE
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\e57bdf1.exeC:\Users\Admin\AppData\Local\Temp\e57bdf1.exe4⤵
- Executes dropped EXE
PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\e57be10.exeC:\Users\Admin\AppData\Local\Temp\e57be10.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3612
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:692
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3532
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2128
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2508
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:776
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4760
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2596
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3720
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57b1f7f5b5757aa303f7b4696e78f799f
SHA1d4e83829c4773aaf3b442fcb70179dfc87bad040
SHA25668a8081558b51cecfd7f6166f454ad4c071956c1ba1a83b1bea17bbbe58a6cee
SHA512a8b3c58fb49a506b36a72b39c9cd548d62ac777d701494a69f9c0fd0b3ba9758fbcf20a3dc8b531f3ca0bd6976ca62c1bf4f480d5740dcf0eb8935ebf243a362
-
Filesize
257B
MD55263f5d1e8306e6a5ade2a05c4041a47
SHA144f895669111f2373798b50b1bd36f6504f5f3d4
SHA2565458177263ce7c7f424cfd006a9b4da2d8d122ae73598f4089c99e78c5adfae4
SHA512ac3105aceef8acea30b1c39292b109ab06636bcd4bfc9ab267003d7d03c203d8ab97cf5b1f58d0d214a2e5c9e8a32b3adbce45f9cdabd8b78e172cb05ff9f04d