Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 05:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll
-
Size
120KB
-
MD5
52aba742b42a8b2c3f38d76c75a6e280
-
SHA1
278b6b7fee8401e18d69e5816a8784fd242b1ecc
-
SHA256
6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6
-
SHA512
3c4bb4e88403c09d7f85e30382ed48deff46256883660836e1f9e69910fd41d435402c9435779147c90d8bf868d5a18697bedec6adb2349999059023654b5380
-
SSDEEP
1536:2SVfsO/hVnR+EdiEIjy7W36Sx9tCxOCOwEdq+/mQSaY4tPjB9WGAq+868emufnNQ:ZzbR+EZH7c6S8Cq+OlB4tPdMGU8Y+2m
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579db7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579db7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579db7.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d1e6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579db7.exe -
Executes dropped EXE 3 IoCs
pid Process 4716 e579db7.exe 4500 e579f1e.exe 2972 e57d1e6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579db7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d1e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d1e6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d1e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579db7.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57d1e6.exe File opened (read-only) \??\I: e57d1e6.exe File opened (read-only) \??\G: e579db7.exe File opened (read-only) \??\I: e579db7.exe File opened (read-only) \??\J: e579db7.exe File opened (read-only) \??\K: e579db7.exe File opened (read-only) \??\M: e579db7.exe File opened (read-only) \??\G: e57d1e6.exe File opened (read-only) \??\E: e579db7.exe File opened (read-only) \??\H: e579db7.exe File opened (read-only) \??\L: e579db7.exe File opened (read-only) \??\E: e57d1e6.exe -
resource yara_rule behavioral2/memory/4716-6-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-9-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-18-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-11-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-10-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-8-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-17-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-26-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-27-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-35-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-33-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-37-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-36-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-38-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-39-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-40-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-48-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-56-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-59-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-60-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-62-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-65-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-66-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4716-70-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/2972-103-0x00000000008B0000-0x000000000196A000-memory.dmp upx behavioral2/memory/2972-145-0x00000000008B0000-0x000000000196A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579e15 e579db7.exe File opened for modification C:\Windows\SYSTEM.INI e579db7.exe File created C:\Windows\e57f964 e57d1e6.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579db7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579f1e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d1e6.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4716 e579db7.exe 4716 e579db7.exe 4716 e579db7.exe 4716 e579db7.exe 2972 e57d1e6.exe 2972 e57d1e6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe Token: SeDebugPrivilege 4716 e579db7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 540 2344 rundll32.exe 83 PID 2344 wrote to memory of 540 2344 rundll32.exe 83 PID 2344 wrote to memory of 540 2344 rundll32.exe 83 PID 540 wrote to memory of 4716 540 rundll32.exe 84 PID 540 wrote to memory of 4716 540 rundll32.exe 84 PID 540 wrote to memory of 4716 540 rundll32.exe 84 PID 4716 wrote to memory of 780 4716 e579db7.exe 9 PID 4716 wrote to memory of 788 4716 e579db7.exe 10 PID 4716 wrote to memory of 1012 4716 e579db7.exe 13 PID 4716 wrote to memory of 2700 4716 e579db7.exe 45 PID 4716 wrote to memory of 2820 4716 e579db7.exe 50 PID 4716 wrote to memory of 2888 4716 e579db7.exe 52 PID 4716 wrote to memory of 3476 4716 e579db7.exe 56 PID 4716 wrote to memory of 3616 4716 e579db7.exe 57 PID 4716 wrote to memory of 3796 4716 e579db7.exe 58 PID 4716 wrote to memory of 3896 4716 e579db7.exe 59 PID 4716 wrote to memory of 3972 4716 e579db7.exe 60 PID 4716 wrote to memory of 4056 4716 e579db7.exe 61 PID 4716 wrote to memory of 3496 4716 e579db7.exe 62 PID 4716 wrote to memory of 5000 4716 e579db7.exe 75 PID 4716 wrote to memory of 1172 4716 e579db7.exe 76 PID 4716 wrote to memory of 4988 4716 e579db7.exe 81 PID 4716 wrote to memory of 2344 4716 e579db7.exe 82 PID 4716 wrote to memory of 540 4716 e579db7.exe 83 PID 4716 wrote to memory of 540 4716 e579db7.exe 83 PID 540 wrote to memory of 4500 540 rundll32.exe 85 PID 540 wrote to memory of 4500 540 rundll32.exe 85 PID 540 wrote to memory of 4500 540 rundll32.exe 85 PID 4716 wrote to memory of 780 4716 e579db7.exe 9 PID 4716 wrote to memory of 788 4716 e579db7.exe 10 PID 4716 wrote to memory of 1012 4716 e579db7.exe 13 PID 4716 wrote to memory of 2700 4716 e579db7.exe 45 PID 4716 wrote to memory of 2820 4716 e579db7.exe 50 PID 4716 wrote to memory of 2888 4716 e579db7.exe 52 PID 4716 wrote to memory of 3476 4716 e579db7.exe 56 PID 4716 wrote to memory of 3616 4716 e579db7.exe 57 PID 4716 wrote to memory of 3796 4716 e579db7.exe 58 PID 4716 wrote to memory of 3896 4716 e579db7.exe 59 PID 4716 wrote to memory of 3972 4716 e579db7.exe 60 PID 4716 wrote to memory of 4056 4716 e579db7.exe 61 PID 4716 wrote to memory of 3496 4716 e579db7.exe 62 PID 4716 wrote to memory of 5000 4716 e579db7.exe 75 PID 4716 wrote to memory of 1172 4716 e579db7.exe 76 PID 4716 wrote to memory of 4988 4716 e579db7.exe 81 PID 4716 wrote to memory of 2344 4716 e579db7.exe 82 PID 4716 wrote to memory of 4500 4716 e579db7.exe 85 PID 4716 wrote to memory of 4500 4716 e579db7.exe 85 PID 540 wrote to memory of 2972 540 rundll32.exe 87 PID 540 wrote to memory of 2972 540 rundll32.exe 87 PID 540 wrote to memory of 2972 540 rundll32.exe 87 PID 2972 wrote to memory of 780 2972 e57d1e6.exe 9 PID 2972 wrote to memory of 788 2972 e57d1e6.exe 10 PID 2972 wrote to memory of 1012 2972 e57d1e6.exe 13 PID 2972 wrote to memory of 2700 2972 e57d1e6.exe 45 PID 2972 wrote to memory of 2820 2972 e57d1e6.exe 50 PID 2972 wrote to memory of 2888 2972 e57d1e6.exe 52 PID 2972 wrote to memory of 3476 2972 e57d1e6.exe 56 PID 2972 wrote to memory of 3616 2972 e57d1e6.exe 57 PID 2972 wrote to memory of 3796 2972 e57d1e6.exe 58 PID 2972 wrote to memory of 3896 2972 e57d1e6.exe 59 PID 2972 wrote to memory of 3972 2972 e57d1e6.exe 60 PID 2972 wrote to memory of 4056 2972 e57d1e6.exe 61 PID 2972 wrote to memory of 3496 2972 e57d1e6.exe 62 PID 2972 wrote to memory of 5000 2972 e57d1e6.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579db7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d1e6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2820
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2888
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\e579db7.exeC:\Users\Admin\AppData\Local\Temp\e579db7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\e579f1e.exeC:\Users\Admin\AppData\Local\Temp\e579f1e.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\e57d1e6.exeC:\Users\Admin\AppData\Local\Temp\e57d1e6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2972
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3796
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3496
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1172
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4988
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57081ae3911b51dff0fbf5f06dab9479f
SHA110b5eea784175357fe1422fcd3da5e30be4ef2e0
SHA2569b863d39010871cfe52e1772b39a68bd2d8b1fadf96dfc2915802b3804545bf6
SHA512b75855a1216d8ab5ded03e776e194fe3d74b1ab4826eb6d3dc5fca53af82fc73a943490927c1dc1346286c4a2ce0b95d2a3ac20296d48af36f7bd793f03d534a
-
Filesize
257B
MD57404db6ef6083dbd7ee6a501e502501d
SHA15ad2649d88d2e75e1495b41d73db1a7c5fb20d07
SHA256cf7f1a70bdbe344aec7890643a3966510676b8ae818db75c3536ec6c92dd329d
SHA512ed98d98a263a2ec76636308786b3be58cfb16827d77c3f367e670d683b883e05036ba341b9a967a0239bfcd3488751eb2983bdfe11e14c0176eaa4e83a709369