Analysis
-
max time kernel
73s -
max time network
73s -
platform
windows11_x64 -
resource
win11 -
submitted
20-10-2021 13:43
Static task
static1
Behavioral task
behavioral1
Sample
rbs.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
General
-
Target
rbs.exe
-
Size
53KB
-
MD5
c6edb2242607a0e09ac7cddc4d65443f
-
SHA1
8a09c4f1b8c930b6f3fff304e4fc6dc12639820d
-
SHA256
4ef4c2b02aeef11ca823584186903598cdf844eb1d089ca94c2aedd776e901cd
-
SHA512
4a79134da78fdf5e11323ad234764c48adc6c7269d7814b8e17373971d3de101e048a7975fb47bf946b6df71f94885ef80ded8903bf31fae49a8e5d21433d692
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������06 8E C3 5F 1D 1B 60 96 D9 3D D0 08 1C 01 A6 0F
28 CC A5 C7 2F 18 36 BA 06 8C 9B F3 38 45 71 7F
1E 04 61 82 8B 27 F3 60 DE BC 58 57 09 3F 63 34
E0 04 2A E1 48 11 11 3A 28 D2 03 B2 C2 6E 41 97
11 9E 4A F7 9D A7 E0 5E 60 CA 75 01 D0 4B 8F D5
DB 78 72 E3 01 D8 33 E3 9A C4 C5 E2 97 10 5B 0A
1B E8 9E 29 AD DD 03 47 F3 0D B2 26 27 E1 CC 86
09 D9 F9 79 EF 91 29 F0 80 26 9D A1 62 57 1D CB
80 99 B0 F5 0C 4D E6 4A 0C A8 AD 5E 7C 75 29 DC
C9 99 1D 37 0A 4B 25 1B B0 F7 67 05 04 97 F0 1C
79 61 71 E3 EA 89 4A 1E 5C AD BE 30 8E 98 A1 F5
A8 65 B0 01 F1 57 EE 55 56 5A 42 19 9D DF D8 BF
D5 1E E2 3E CB E1 3F 2F 52 24 56 45 9C 7F C4 3A
03 12 EA 25 26 FA 63 19 A6 D7 5A 40 22 79 D7 52
67 AF 53 0B AD B8 93 D9 73 63 64 61 6B C7 33 51
93 47 CB 6C 05 DE 8A A9 E8 C9 64 F1 DE 1F F3 74
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="help_24_decr1@outlook.com ">help_24_decr1@outlook.com </a>
<br><a href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
���������
Emails
href="help_24_decr1@outlook.com
">help_24_decr1@outlook.com
href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\rbs.exe" rbs.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce rbs.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
rbs.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini rbs.exe File opened for modification C:\Program Files (x86)\desktop.ini rbs.exe File opened for modification C:\Users\Public\Videos\desktop.ini rbs.exe File opened for modification C:\Users\Public\Pictures\desktop.ini rbs.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini rbs.exe File opened for modification C:\Users\Public\Libraries\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Links\desktop.ini rbs.exe File opened for modification C:\Users\Public\Desktop\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini rbs.exe File opened for modification C:\Users\Public\desktop.ini rbs.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI rbs.exe File opened for modification C:\Users\Admin\Videos\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Documents\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini rbs.exe File opened for modification C:\Program Files\desktop.ini rbs.exe File opened for modification C:\Users\Public\Music\desktop.ini rbs.exe File opened for modification C:\Users\Public\Downloads\desktop.ini rbs.exe File opened for modification C:\Users\Public\Documents\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Searches\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Music\desktop.ini rbs.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini rbs.exe -
Drops file in Program Files directory 64 IoCs
Processes:
rbs.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.54.4001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png rbs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\en-us\officons.ttf rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\INTRO_300px\INTRO_300px.17.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Assets\Cursors\BrushCursor2.cur rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png rbs.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\how_to_back_files.html rbs.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\findElementRecursive.js rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21061.10121.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12105.1001.23.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.41203.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2105.41472.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-36_altform-unplated.png rbs.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\WeeklyDayPicker.js rbs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\HxOutlook.ViewModel.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-lightunplated.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.21.13002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent@3x.png rbs.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png rbs.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\Breadcrumb\Breadcrumb.types.js rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21061.10121.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-200_contrast-black.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2105.41472.0_x64__8wekyb3d8bbwe\GetHelp.dll rbs.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\how_to_back_files.html rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.25.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare71x71Logo.scale-150.png rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Helper.winmd rbs.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadSmallTile.scale-200.png rbs.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireWideTile.scale-125_contrast-black.png rbs.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\Remoting\theme-dark\PhoneScreenDeviceConsent.svg rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.9.6151.0_x64__8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireAppList.targetsize-20_altform-unplated_contrast-black.png rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.Resources.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12105.1001.23.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-100.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\PilotshubApp.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\SharedContent\SharedContentPCConsent.svg rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadMedTile.scale-150.png rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\YourPhoneAppProxy\it\System.Windows.Forms.resources.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2021.105.10.0_x64__8wekyb3d8bbwe\Assets\contrast-white\CameraAppList.targetsize-72_altform-unplated.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.30035.0_x64__8wekyb3d8bbwe\mfc140kor.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\YourPhoneAppProxy\System.IO.FileSystem.DriveInfo.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\YourPhoneAppProxy\bn-BD\YourPhoneAppProxy.Core.resources.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-36.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.41203.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\INTRO_300px\INTRO_300px.111.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.3.41661.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-36_altform-lightunplated_contrast-black.png rbs.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\contrast-black\CameraLargeTile.scale-200.png rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms rbs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-150.png rbs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated_contrast-white.png rbs.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms rbs.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\memoize.js rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\YourPhoneAppProxy\qps-ploca\YourPhoneAppProxy.Core.resources.dll rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.38.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated_contrast-black.png rbs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare150x150Logo.scale-180.png rbs.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exedescription pid process Token: SeSystemtimePrivilege 4692 svchost.exe Token: SeSystemtimePrivilege 4692 svchost.exe Token: SeIncBasePriorityPrivilege 4692 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rbs.exe"C:\Users\Admin\AppData\Local\Temp\rbs.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv kJH0vQ/BqkKCLRpSZt3qDw.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵