Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 15:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll
-
Size
120KB
-
MD5
005dddd4d453daf2c6e1dfcf5005a9b2
-
SHA1
1036e2c9fc35288aaeafbf405598a8185788aa20
-
SHA256
82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175
-
SHA512
5d3c06a8b81a5671b1b84fc179be8f45c64dcf2811cb3459b83e89aafbc4cb330a780a346e2b1c66fdde34f87444b297c601d08521833df16a741fc40c606c44
-
SSDEEP
1536:BlO+6YXHf3lXPCUcg3u3ZDBaEM9FDhFOW2G8kutBUlF8QD7Zint9Q5ndQGD/Vhd:BZZHFC9gnEoF9J8kYUBDKAqGLR
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b834.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e956.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e956.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b834.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e956.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b834.exe -
Executes dropped EXE 3 IoCs
pid Process 2032 e57b834.exe 4388 e57b9da.exe 2872 e57e956.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e956.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b834.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e956.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b834.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e956.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57b834.exe File opened (read-only) \??\K: e57b834.exe File opened (read-only) \??\M: e57b834.exe File opened (read-only) \??\E: e57e956.exe File opened (read-only) \??\G: e57e956.exe File opened (read-only) \??\H: e57e956.exe File opened (read-only) \??\I: e57e956.exe File opened (read-only) \??\E: e57b834.exe File opened (read-only) \??\H: e57b834.exe File opened (read-only) \??\I: e57b834.exe File opened (read-only) \??\J: e57b834.exe File opened (read-only) \??\L: e57b834.exe File opened (read-only) \??\J: e57e956.exe -
resource yara_rule behavioral2/memory/2032-8-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-9-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-11-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-27-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-31-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-19-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-18-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-10-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-12-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-6-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-33-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-36-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-37-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-38-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-40-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-39-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-47-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-58-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-59-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-61-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-63-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-64-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-65-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-68-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2032-70-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/2872-95-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2872-127-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2872-151-0x0000000000810000-0x00000000018CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b892 e57b834.exe File opened for modification C:\Windows\SYSTEM.INI e57b834.exe File created C:\Windows\e58117f e57e956.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b834.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b9da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e956.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2032 e57b834.exe 2032 e57b834.exe 2032 e57b834.exe 2032 e57b834.exe 2872 e57e956.exe 2872 e57e956.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe Token: SeDebugPrivilege 2032 e57b834.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 4644 2768 rundll32.exe 83 PID 2768 wrote to memory of 4644 2768 rundll32.exe 83 PID 2768 wrote to memory of 4644 2768 rundll32.exe 83 PID 4644 wrote to memory of 2032 4644 rundll32.exe 84 PID 4644 wrote to memory of 2032 4644 rundll32.exe 84 PID 4644 wrote to memory of 2032 4644 rundll32.exe 84 PID 2032 wrote to memory of 792 2032 e57b834.exe 9 PID 2032 wrote to memory of 796 2032 e57b834.exe 10 PID 2032 wrote to memory of 384 2032 e57b834.exe 13 PID 2032 wrote to memory of 2536 2032 e57b834.exe 42 PID 2032 wrote to memory of 2556 2032 e57b834.exe 43 PID 2032 wrote to memory of 2636 2032 e57b834.exe 44 PID 2032 wrote to memory of 3144 2032 e57b834.exe 54 PID 2032 wrote to memory of 3604 2032 e57b834.exe 57 PID 2032 wrote to memory of 3812 2032 e57b834.exe 58 PID 2032 wrote to memory of 3912 2032 e57b834.exe 59 PID 2032 wrote to memory of 3996 2032 e57b834.exe 60 PID 2032 wrote to memory of 4080 2032 e57b834.exe 61 PID 2032 wrote to memory of 3748 2032 e57b834.exe 62 PID 2032 wrote to memory of 1568 2032 e57b834.exe 75 PID 2032 wrote to memory of 1684 2032 e57b834.exe 76 PID 2032 wrote to memory of 1124 2032 e57b834.exe 81 PID 2032 wrote to memory of 2768 2032 e57b834.exe 82 PID 2032 wrote to memory of 4644 2032 e57b834.exe 83 PID 2032 wrote to memory of 4644 2032 e57b834.exe 83 PID 4644 wrote to memory of 4388 4644 rundll32.exe 85 PID 4644 wrote to memory of 4388 4644 rundll32.exe 85 PID 4644 wrote to memory of 4388 4644 rundll32.exe 85 PID 2032 wrote to memory of 792 2032 e57b834.exe 9 PID 2032 wrote to memory of 796 2032 e57b834.exe 10 PID 2032 wrote to memory of 384 2032 e57b834.exe 13 PID 2032 wrote to memory of 2536 2032 e57b834.exe 42 PID 2032 wrote to memory of 2556 2032 e57b834.exe 43 PID 2032 wrote to memory of 2636 2032 e57b834.exe 44 PID 2032 wrote to memory of 3144 2032 e57b834.exe 54 PID 2032 wrote to memory of 3604 2032 e57b834.exe 57 PID 2032 wrote to memory of 3812 2032 e57b834.exe 58 PID 2032 wrote to memory of 3912 2032 e57b834.exe 59 PID 2032 wrote to memory of 3996 2032 e57b834.exe 60 PID 2032 wrote to memory of 4080 2032 e57b834.exe 61 PID 2032 wrote to memory of 3748 2032 e57b834.exe 62 PID 2032 wrote to memory of 1568 2032 e57b834.exe 75 PID 2032 wrote to memory of 1684 2032 e57b834.exe 76 PID 2032 wrote to memory of 1124 2032 e57b834.exe 81 PID 2032 wrote to memory of 2768 2032 e57b834.exe 82 PID 2032 wrote to memory of 4388 2032 e57b834.exe 85 PID 2032 wrote to memory of 4388 2032 e57b834.exe 85 PID 4644 wrote to memory of 2872 4644 rundll32.exe 86 PID 4644 wrote to memory of 2872 4644 rundll32.exe 86 PID 4644 wrote to memory of 2872 4644 rundll32.exe 86 PID 2872 wrote to memory of 792 2872 e57e956.exe 9 PID 2872 wrote to memory of 796 2872 e57e956.exe 10 PID 2872 wrote to memory of 384 2872 e57e956.exe 13 PID 2872 wrote to memory of 2536 2872 e57e956.exe 42 PID 2872 wrote to memory of 2556 2872 e57e956.exe 43 PID 2872 wrote to memory of 2636 2872 e57e956.exe 44 PID 2872 wrote to memory of 3144 2872 e57e956.exe 54 PID 2872 wrote to memory of 3604 2872 e57e956.exe 57 PID 2872 wrote to memory of 3812 2872 e57e956.exe 58 PID 2872 wrote to memory of 3912 2872 e57e956.exe 59 PID 2872 wrote to memory of 3996 2872 e57e956.exe 60 PID 2872 wrote to memory of 4080 2872 e57e956.exe 61 PID 2872 wrote to memory of 3748 2872 e57e956.exe 62 PID 2872 wrote to memory of 1568 2872 e57e956.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b834.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2556
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3144
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\e57b834.exeC:\Users\Admin\AppData\Local\Temp\e57b834.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\e57b9da.exeC:\Users\Admin\AppData\Local\Temp\e57b9da.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\e57e956.exeC:\Users\Admin\AppData\Local\Temp\e57e956.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2872
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3812
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3912
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3748
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1568
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1684
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1124
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c961515ad078fd7bf66e7aa030289959
SHA170a37672dbd8b0cd7132a1769c0080bbfd8e1c2c
SHA256b31bf0e3dd22240e2105c9a4f4cbb970f9ebc3e74484fcc5c8c159c5e48f05b3
SHA512d38d4daa372bde76a4d8515acc9854e7bb1b663157122dc71d3f5744e95c2a4076d907a0f6037494ca005f1221727ddb1c63587b8d6b61335fad7cd700dc1c52
-
Filesize
256B
MD5973437b0b21e04a411b9d29c4aeaebf8
SHA1ebf31729c52048da32f1b892e566b0d6513da952
SHA256cb590582caa8bed1a222615af63cf2c44ea6003e3d6ff65656547a81677fa784
SHA512ad3261c6c599abcd536e1a9592ae53f6a36653d692d669158a00354c57a39b8f8e22a5250a7e7a630088decb3827d0b3aa5f02bcce4a9343abe53585fd115981