Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
44cd8dc2bfa6b608b24637c18c581c20N.dll
Resource
win7-20240705-en
windows7-x64
15 signatures
120 seconds
General
-
Target
44cd8dc2bfa6b608b24637c18c581c20N.dll
-
Size
120KB
-
MD5
44cd8dc2bfa6b608b24637c18c581c20
-
SHA1
ffbb5ffb69962618b6cd1d57093e93ce251a901d
-
SHA256
8d78476799105b622465898f736a6763d4538a69698417dc04765ff392321a3b
-
SHA512
2bf2e292cbd1c963b733fe80f886eac194eea0a351446e1743c198cf53dbfefe3c58d6fb2445277a012a061e49051012e625094690c2319970e538f4f3a99197
-
SSDEEP
3072:nApnTT9zlob9xensewyvnU02bY5ubAm3Oks:nApTTdl4ensewyvnU0r53m3Oks
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e580088.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e580088.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e580088.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580088.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580088.exe -
Executes dropped EXE 4 IoCs
pid Process 3740 e57dadf.exe 2528 e57dc27.exe 4908 e580088.exe 4268 e5800a7.exe -
resource yara_rule behavioral2/memory/3740-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-31-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-30-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-20-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-19-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-41-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-43-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-57-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-70-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-72-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-76-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-79-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-82-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-84-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-85-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3740-87-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4908-127-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4908-162-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580088.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580088.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580088.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dadf.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57dadf.exe File opened (read-only) \??\J: e57dadf.exe File opened (read-only) \??\G: e580088.exe File opened (read-only) \??\P: e57dadf.exe File opened (read-only) \??\E: e580088.exe File opened (read-only) \??\H: e580088.exe File opened (read-only) \??\G: e57dadf.exe File opened (read-only) \??\H: e57dadf.exe File opened (read-only) \??\K: e57dadf.exe File opened (read-only) \??\L: e57dadf.exe File opened (read-only) \??\I: e580088.exe File opened (read-only) \??\I: e57dadf.exe File opened (read-only) \??\M: e57dadf.exe File opened (read-only) \??\N: e57dadf.exe File opened (read-only) \??\O: e57dadf.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57dadf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57dadf.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57dadf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57db2d e57dadf.exe File opened for modification C:\Windows\SYSTEM.INI e57dadf.exe File created C:\Windows\e582bbe e580088.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3740 e57dadf.exe 3740 e57dadf.exe 3740 e57dadf.exe 3740 e57dadf.exe 4908 e580088.exe 4908 e580088.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe Token: SeDebugPrivilege 3740 e57dadf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 628 880 rundll32.exe 84 PID 880 wrote to memory of 628 880 rundll32.exe 84 PID 880 wrote to memory of 628 880 rundll32.exe 84 PID 628 wrote to memory of 3740 628 rundll32.exe 85 PID 628 wrote to memory of 3740 628 rundll32.exe 85 PID 628 wrote to memory of 3740 628 rundll32.exe 85 PID 3740 wrote to memory of 780 3740 e57dadf.exe 8 PID 3740 wrote to memory of 784 3740 e57dadf.exe 9 PID 3740 wrote to memory of 1008 3740 e57dadf.exe 13 PID 3740 wrote to memory of 2508 3740 e57dadf.exe 42 PID 3740 wrote to memory of 2520 3740 e57dadf.exe 43 PID 3740 wrote to memory of 2684 3740 e57dadf.exe 45 PID 3740 wrote to memory of 3544 3740 e57dadf.exe 56 PID 3740 wrote to memory of 3660 3740 e57dadf.exe 57 PID 3740 wrote to memory of 3852 3740 e57dadf.exe 58 PID 3740 wrote to memory of 3948 3740 e57dadf.exe 59 PID 3740 wrote to memory of 4024 3740 e57dadf.exe 60 PID 3740 wrote to memory of 516 3740 e57dadf.exe 61 PID 3740 wrote to memory of 3044 3740 e57dadf.exe 62 PID 3740 wrote to memory of 4512 3740 e57dadf.exe 75 PID 3740 wrote to memory of 1000 3740 e57dadf.exe 76 PID 3740 wrote to memory of 2496 3740 e57dadf.exe 81 PID 3740 wrote to memory of 2492 3740 e57dadf.exe 82 PID 3740 wrote to memory of 880 3740 e57dadf.exe 83 PID 3740 wrote to memory of 628 3740 e57dadf.exe 84 PID 3740 wrote to memory of 628 3740 e57dadf.exe 84 PID 628 wrote to memory of 2528 628 rundll32.exe 86 PID 628 wrote to memory of 2528 628 rundll32.exe 86 PID 628 wrote to memory of 2528 628 rundll32.exe 86 PID 628 wrote to memory of 4908 628 rundll32.exe 94 PID 628 wrote to memory of 4908 628 rundll32.exe 94 PID 628 wrote to memory of 4908 628 rundll32.exe 94 PID 628 wrote to memory of 4268 628 rundll32.exe 95 PID 628 wrote to memory of 4268 628 rundll32.exe 95 PID 628 wrote to memory of 4268 628 rundll32.exe 95 PID 3740 wrote to memory of 780 3740 e57dadf.exe 8 PID 3740 wrote to memory of 784 3740 e57dadf.exe 9 PID 3740 wrote to memory of 1008 3740 e57dadf.exe 13 PID 3740 wrote to memory of 2508 3740 e57dadf.exe 42 PID 3740 wrote to memory of 2520 3740 e57dadf.exe 43 PID 3740 wrote to memory of 2684 3740 e57dadf.exe 45 PID 3740 wrote to memory of 3544 3740 e57dadf.exe 56 PID 3740 wrote to memory of 3660 3740 e57dadf.exe 57 PID 3740 wrote to memory of 3852 3740 e57dadf.exe 58 PID 3740 wrote to memory of 3948 3740 e57dadf.exe 59 PID 3740 wrote to memory of 4024 3740 e57dadf.exe 60 PID 3740 wrote to memory of 516 3740 e57dadf.exe 61 PID 3740 wrote to memory of 3044 3740 e57dadf.exe 62 PID 3740 wrote to memory of 4512 3740 e57dadf.exe 75 PID 3740 wrote to memory of 1000 3740 e57dadf.exe 76 PID 3740 wrote to memory of 2496 3740 e57dadf.exe 81 PID 3740 wrote to memory of 2492 3740 e57dadf.exe 82 PID 3740 wrote to memory of 2528 3740 e57dadf.exe 86 PID 3740 wrote to memory of 2528 3740 e57dadf.exe 86 PID 3740 wrote to memory of 1212 3740 e57dadf.exe 88 PID 3740 wrote to memory of 2368 3740 e57dadf.exe 89 PID 3740 wrote to memory of 4908 3740 e57dadf.exe 94 PID 3740 wrote to memory of 4908 3740 e57dadf.exe 94 PID 3740 wrote to memory of 4268 3740 e57dadf.exe 95 PID 3740 wrote to memory of 4268 3740 e57dadf.exe 95 PID 4908 wrote to memory of 780 4908 e580088.exe 8 PID 4908 wrote to memory of 784 4908 e580088.exe 9 PID 4908 wrote to memory of 1008 4908 e580088.exe 13 PID 4908 wrote to memory of 2508 4908 e580088.exe 42 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dadf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580088.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1008
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2520
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3544
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\44cd8dc2bfa6b608b24637c18c581c20N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\44cd8dc2bfa6b608b24637c18c581c20N.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\e57dadf.exeC:\Users\Admin\AppData\Local\Temp\e57dadf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\e57dc27.exeC:\Users\Admin\AppData\Local\Temp\e57dc27.exe4⤵
- Executes dropped EXE
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\e580088.exeC:\Users\Admin\AppData\Local\Temp\e580088.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\e5800a7.exeC:\Users\Admin\AppData\Local\Temp\e5800a7.exe4⤵
- Executes dropped EXE
PID:4268
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3044
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1000
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2496
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2492
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1212
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2368
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5731e5521d95f6c5f64ff01f17ba06395
SHA19654f0044c8561f09f1dcdeed2f961005c6c6405
SHA25635904da8244e21955a9d9dbb7402133c1743eb0043f5026dfd6d1cc3ca8028a6
SHA512264ac14e4e7f5ae97d3c2ee0f43430eaadce35b308c594378a8d335e969a350f35a3bc8caf1607b9e89b2c24aa43b835441e8a00bfa64fd52176ab347f6c31d0
-
Filesize
257B
MD57de70d75de0072446e78b49dd6e17f61
SHA12b8716d09908e0c331f6c8ba7c70a088edb649d4
SHA2567bbec1490e276c43e70fd144041bb9e931f33317a820b07166d5abb2ffdf16cc
SHA512c657b1561062029a454acde2bda401a1e7e7fdff953839c43c04bdb8e133b1d063cea8b7b6e7f75cefeeb05e0a489e2c474027e7b6e95e09d381ceee1d352c6c