Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 18:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8928cdc1e4cfc9b28ca71b706e637400N.dll
Resource
win7-20240705-en
windows7-x64
16 signatures
120 seconds
General
-
Target
8928cdc1e4cfc9b28ca71b706e637400N.dll
-
Size
120KB
-
MD5
8928cdc1e4cfc9b28ca71b706e637400
-
SHA1
7b5048872972a21e0a2546541f8ed49e1e7afe03
-
SHA256
34535bc7c7f25f75ff853c9c683e39942f23b00dd9c838ccbc0b39b82905c9bc
-
SHA512
ecfaabf026985804c1485d5a09891201ef2e45ae269554e4a2e87df3b6beafc87ccf8ec573678b134f36b51ba36d3a53a5b2c5cd329b03619ed4500c923112f6
-
SSDEEP
3072:2GDA2U3JTYiS+QDLVvsKCHcMwJW1nYqsT+X0:zAr5kbjPVvFCc/WtsTY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c505.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c505.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a037.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a037.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c505.exe -
Executes dropped EXE 3 IoCs
pid Process 4888 e57a037.exe 3728 e57a1be.exe 2916 e57c505.exe -
resource yara_rule behavioral2/memory/4888-8-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-9-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-12-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-13-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-24-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-29-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-23-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-10-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-11-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-6-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-32-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-36-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-37-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-38-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-39-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-40-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-50-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-57-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-63-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-64-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-65-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-67-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-70-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-71-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-79-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-80-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-82-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4888-83-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/2916-122-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/2916-153-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a037.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c505.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c505.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c505.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e57a037.exe File opened (read-only) \??\M: e57a037.exe File opened (read-only) \??\N: e57a037.exe File opened (read-only) \??\I: e57c505.exe File opened (read-only) \??\H: e57a037.exe File opened (read-only) \??\I: e57a037.exe File opened (read-only) \??\H: e57c505.exe File opened (read-only) \??\E: e57a037.exe File opened (read-only) \??\O: e57a037.exe File opened (read-only) \??\G: e57c505.exe File opened (read-only) \??\G: e57a037.exe File opened (read-only) \??\J: e57a037.exe File opened (read-only) \??\K: e57a037.exe File opened (read-only) \??\E: e57c505.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57a037.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a037.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a037.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a095 e57a037.exe File opened for modification C:\Windows\SYSTEM.INI e57a037.exe File created C:\Windows\e57f126 e57c505.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a037.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a1be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c505.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4888 e57a037.exe 4888 e57a037.exe 4888 e57a037.exe 4888 e57a037.exe 2916 e57c505.exe 2916 e57c505.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe Token: SeDebugPrivilege 4888 e57a037.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 3896 2812 rundll32.exe 84 PID 2812 wrote to memory of 3896 2812 rundll32.exe 84 PID 2812 wrote to memory of 3896 2812 rundll32.exe 84 PID 3896 wrote to memory of 4888 3896 rundll32.exe 85 PID 3896 wrote to memory of 4888 3896 rundll32.exe 85 PID 3896 wrote to memory of 4888 3896 rundll32.exe 85 PID 4888 wrote to memory of 780 4888 e57a037.exe 8 PID 4888 wrote to memory of 788 4888 e57a037.exe 9 PID 4888 wrote to memory of 316 4888 e57a037.exe 13 PID 4888 wrote to memory of 3020 4888 e57a037.exe 50 PID 4888 wrote to memory of 1268 4888 e57a037.exe 51 PID 4888 wrote to memory of 2696 4888 e57a037.exe 52 PID 4888 wrote to memory of 3396 4888 e57a037.exe 56 PID 4888 wrote to memory of 3584 4888 e57a037.exe 57 PID 4888 wrote to memory of 3788 4888 e57a037.exe 58 PID 4888 wrote to memory of 3884 4888 e57a037.exe 59 PID 4888 wrote to memory of 3948 4888 e57a037.exe 60 PID 4888 wrote to memory of 4036 4888 e57a037.exe 61 PID 4888 wrote to memory of 4104 4888 e57a037.exe 62 PID 4888 wrote to memory of 2188 4888 e57a037.exe 74 PID 4888 wrote to memory of 2332 4888 e57a037.exe 76 PID 4888 wrote to memory of 3672 4888 e57a037.exe 81 PID 4888 wrote to memory of 1928 4888 e57a037.exe 82 PID 4888 wrote to memory of 2812 4888 e57a037.exe 83 PID 4888 wrote to memory of 3896 4888 e57a037.exe 84 PID 4888 wrote to memory of 3896 4888 e57a037.exe 84 PID 3896 wrote to memory of 3728 3896 rundll32.exe 86 PID 3896 wrote to memory of 3728 3896 rundll32.exe 86 PID 3896 wrote to memory of 3728 3896 rundll32.exe 86 PID 3896 wrote to memory of 2916 3896 rundll32.exe 90 PID 3896 wrote to memory of 2916 3896 rundll32.exe 90 PID 3896 wrote to memory of 2916 3896 rundll32.exe 90 PID 4888 wrote to memory of 780 4888 e57a037.exe 8 PID 4888 wrote to memory of 788 4888 e57a037.exe 9 PID 4888 wrote to memory of 316 4888 e57a037.exe 13 PID 4888 wrote to memory of 3020 4888 e57a037.exe 50 PID 4888 wrote to memory of 1268 4888 e57a037.exe 51 PID 4888 wrote to memory of 2696 4888 e57a037.exe 52 PID 4888 wrote to memory of 3396 4888 e57a037.exe 56 PID 4888 wrote to memory of 3584 4888 e57a037.exe 57 PID 4888 wrote to memory of 3788 4888 e57a037.exe 58 PID 4888 wrote to memory of 3884 4888 e57a037.exe 59 PID 4888 wrote to memory of 3948 4888 e57a037.exe 60 PID 4888 wrote to memory of 4036 4888 e57a037.exe 61 PID 4888 wrote to memory of 4104 4888 e57a037.exe 62 PID 4888 wrote to memory of 2188 4888 e57a037.exe 74 PID 4888 wrote to memory of 2332 4888 e57a037.exe 76 PID 4888 wrote to memory of 3672 4888 e57a037.exe 81 PID 4888 wrote to memory of 1928 4888 e57a037.exe 82 PID 4888 wrote to memory of 3728 4888 e57a037.exe 86 PID 4888 wrote to memory of 3728 4888 e57a037.exe 86 PID 4888 wrote to memory of 3996 4888 e57a037.exe 88 PID 4888 wrote to memory of 4440 4888 e57a037.exe 89 PID 4888 wrote to memory of 2916 4888 e57a037.exe 90 PID 4888 wrote to memory of 2916 4888 e57a037.exe 90 PID 2916 wrote to memory of 780 2916 e57c505.exe 8 PID 2916 wrote to memory of 788 2916 e57c505.exe 9 PID 2916 wrote to memory of 316 2916 e57c505.exe 13 PID 2916 wrote to memory of 3020 2916 e57c505.exe 50 PID 2916 wrote to memory of 1268 2916 e57c505.exe 51 PID 2916 wrote to memory of 2696 2916 e57c505.exe 52 PID 2916 wrote to memory of 3396 2916 e57c505.exe 56 PID 2916 wrote to memory of 3584 2916 e57c505.exe 57 PID 2916 wrote to memory of 3788 2916 e57c505.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c505.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1268
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2696
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8928cdc1e4cfc9b28ca71b706e637400N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8928cdc1e4cfc9b28ca71b706e637400N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\e57a037.exeC:\Users\Admin\AppData\Local\Temp\e57a037.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\e57a1be.exeC:\Users\Admin\AppData\Local\Temp\e57a1be.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3728
-
-
C:\Users\Admin\AppData\Local\Temp\e57c505.exeC:\Users\Admin\AppData\Local\Temp\e57c505.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2188
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2332
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3672
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4440
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57fb3e1c0e790c62589bdb3f09262c1d0
SHA16086e571d9ed14945ece23e1a0172aa74eb6cc2c
SHA2562dd46bcdcfb88b8b3ab9ac07edccc31db4db1d7779e62bf51a6e80d5a0803481
SHA5126775844668d042b513643231f83d70eeb629db781465d3637866795b8a54d4a6599d7cb6dd76624875348849cea1f95af99831f1831d87bd0e3e199d970d11df
-
Filesize
257B
MD517b81b99aaa65096271a0dc1e27dd327
SHA1ec0b7f43945b1362564714ad5754e2b9f191143d
SHA2563fecab93d5b395ecb00093ba33cf0ce85dcca27697f2becc89d2a1d0207c85fc
SHA512df76b24cd5785e74d1858231a8a1ecf343162aee400d954def29462197f563a870b38cf4f9b85598ab9864d887aa1876addce09847b1e1e2d8f52d3073f4692c