Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
03/10/2022, 17:23 UTC
General
-
Target
b6bc13f302f70194870dd4d1892c90219ae3a8f24cad9c9c8796dc2a8b84f571.exe
-
Size
58KB
-
MD5
3335ed96304ee15d63b63321b40bf090
-
SHA1
98a3236cede912d51c4d08bc83966a9805d83624
-
SHA256
b6bc13f302f70194870dd4d1892c90219ae3a8f24cad9c9c8796dc2a8b84f571
-
SHA512
b22f08d0a072b0387d5b3efc583d075e593f37a3f7201a81897dcebb40284ac2be3550d9890cf0aa664ec9e2b25908be341866e922598dcbde88cdb741ffba8c
-
SSDEEP
1536:EmbvRTJiHjcd5bT1jTzFpHb0gOnmkELbKntV/uNm:Em1TJiHjKZpHb0gKXEL+uNm
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b6bc13f302f70194870dd4d1892c90219ae3a8f24cad9c9c8796dc2a8b84f571.exe"C:\Users\Admin\AppData\Local\Temp\b6bc13f302f70194870dd4d1892c90219ae3a8f24cad9c9c8796dc2a8b84f571.exe"2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
Network
-
DNSilo.brenz.plRemote address:8.8.8.8:53Requestilo.brenz.plIN AResponseilo.brenz.plIN A148.81.111.121 -
DNSant.trenz.plRemote address:8.8.8.8:53Requestant.trenz.plIN AResponseant.trenz.plIN A148.81.111.121
-
DNSegainy.comRemote address:8.8.8.8:53Requestegainy.comIN AResponse
-
DNSiuinmz.comRemote address:8.8.8.8:53Requestiuinmz.comIN AResponse
-
DNSqypdea.comRemote address:8.8.8.8:53Requestqypdea.comIN AResponse
-
DNSzsesew.comRemote address:8.8.8.8:53Requestzsesew.comIN AResponse
-
DNSnailbz.comRemote address:8.8.8.8:53Requestnailbz.comIN AResponse
-
DNSgyrleo.comRemote address:8.8.8.8:53Requestgyrleo.comIN AResponse
-
DNSenliuu.comRemote address:8.8.8.8:53Requestenliuu.comIN AResponse
-
DNSwuaaxi.comRemote address:8.8.8.8:53Requestwuaaxi.comIN AResponse
-
DNShbmsse.comRemote address:8.8.8.8:53Requesthbmsse.comIN AResponse
-
DNSvtluiv.comRemote address:8.8.8.8:53Requestvtluiv.comIN AResponse
-
DNScbaowa.comRemote address:8.8.8.8:53Requestcbaowa.comIN A
-
DNScbaowa.comRemote address:8.8.8.8:53Requestcbaowa.comIN A
-
DNScbaowa.comRemote address:8.8.8.8:53Requestcbaowa.comIN A
-
DNScbaowa.comRemote address:8.8.8.8:53Requestcbaowa.comIN A
-
DNScbaowa.comRemote address:8.8.8.8:53Requestcbaowa.comIN A
-
DNS151.122.125.40.in-addr.arpaRemote address:8.8.8.8:53Request151.122.125.40.in-addr.arpaIN PTRResponse
-
DNSdogxon.comRemote address:8.8.8.8:53Requestdogxon.comIN AResponsedogxon.comIN A202.254.238.20
-
DNScutudj.comRemote address:8.8.8.8:53Requestcutudj.comIN AResponse
-
DNSfhsrxs.comRemote address:8.8.8.8:53Requestfhsrxs.comIN AResponse
-
DNSembmot.comRemote address:8.8.8.8:53Requestembmot.comIN AResponse
-
DNSzljufi.comRemote address:8.8.8.8:53Requestzljufi.comIN AResponse
-
DNSdoqukc.comRemote address:8.8.8.8:53Requestdoqukc.comIN AResponse
-
DNSmeigdl.comRemote address:8.8.8.8:53Requestmeigdl.comIN AResponsemeigdl.comIN A104.21.47.223meigdl.comIN A172.67.173.205
-
DNSilo.brenz.plRemote address:8.8.8.8:53Requestilo.brenz.plIN AResponseilo.brenz.plIN A148.81.111.121
-
DNSouyhgs.comRemote address:8.8.8.8:53Requestouyhgs.comIN AResponse
-
DNSariqte.comRemote address:8.8.8.8:53Requestariqte.comIN AResponse
-
DNSioqjfg.comRemote address:8.8.8.8:53Requestioqjfg.comIN AResponse
-
DNSttesaw.comRemote address:8.8.8.8:53Requestttesaw.comIN AResponse
-
DNSjkwdfs.comRemote address:8.8.8.8:53Requestjkwdfs.comIN AResponse
-
DNSlzrktj.comRemote address:8.8.8.8:53Requestlzrktj.comIN AResponse
-
DNSkeqyus.comRemote address:8.8.8.8:53Requestkeqyus.comIN AResponse
-
DNSfvhkpu.comRemote address:8.8.8.8:53Requestfvhkpu.comIN AResponse
-
DNSargyoh.comRemote address:8.8.8.8:53Requestargyoh.comIN AResponse
-
DNSoyczkg.comRemote address:8.8.8.8:53Requestoyczkg.comIN AResponse
-
DNSbstoeo.comRemote address:8.8.8.8:53Requestbstoeo.comIN AResponse
-
DNSgguaxr.comRemote address:8.8.8.8:53Requestgguaxr.comIN AResponse
-
DNShgzero.comRemote address:8.8.8.8:53Requesthgzero.comIN AResponsehgzero.comIN A154.31.45.113
-
DNSant.trenz.plRemote address:8.8.8.8:53Requestant.trenz.plIN AResponseant.trenz.plIN A148.81.111.121
-
DNSadomhh.comRemote address:8.8.8.8:53Requestadomhh.comIN AResponse
-
DNSdmcsdm.comRemote address:8.8.8.8:53Requestdmcsdm.comIN AResponse
-
DNSdyktyd.comRemote address:8.8.8.8:53Requestdyktyd.comIN AResponse
-
DNSjqrwrc.comRemote address:8.8.8.8:53Requestjqrwrc.comIN AResponse
-
DNSjqrpbv.comRemote address:8.8.8.8:53Requestjqrpbv.comIN AResponse
-
DNSmircge.comRemote address:8.8.8.8:53Requestmircge.comIN AResponse
-
DNSssmovv.comRemote address:8.8.8.8:53Requestssmovv.comIN AResponse
-
DNSkjirvh.comRemote address:8.8.8.8:53Requestkjirvh.comIN AResponse
-
DNSsmpaza.comRemote address:8.8.8.8:53Requestsmpaza.comIN AResponse
-
DNSwwqpst.comRemote address:8.8.8.8:53Requestwwqpst.comIN AResponse
-
DNSkbsvwu.comRemote address:8.8.8.8:53Requestkbsvwu.comIN AResponse
-
DNSvchaff.comRemote address:8.8.8.8:53Requestvchaff.comIN AResponse
-
DNSunsgbd.comRemote address:8.8.8.8:53Requestunsgbd.comIN AResponse
-
DNSyoyyst.comRemote address:8.8.8.8:53Requestyoyyst.comIN AResponse
-
DNSkbwnai.comRemote address:8.8.8.8:53Requestkbwnai.comIN AResponse
-
DNSzeezuu.comRemote address:8.8.8.8:53Requestzeezuu.comIN AResponsezeezuu.comIN A3.64.163.50
-
209.197.3.8:80
-
148.81.111.121:80ilo.brenz.pl -
2.18.109.224:443 -
20.50.80.209:443 -
209.197.3.8:80
-
209.197.3.8:80
-
209.197.3.8:80
-
148.81.111.121:80ant.trenz.pl
-
88.198.69.43:80 -
202.254.238.20:443dogxon.com -
104.21.47.223:443meigdl.com
-
148.81.111.121:80ilo.brenz.pl
-
154.31.45.113:443hgzero.com
-
148.81.111.121:80ant.trenz.pl
-
3.64.163.50:443zeezuu.com
-
8.8.8.8:53ilo.brenz.pldns
DNS Request
ilo.brenz.pl
DNS Response
148.81.111.121
-
8.8.8.8:53ant.trenz.pldns
DNS Request
ant.trenz.pl
DNS Response
148.81.111.121
-
8.8.8.8:53egainy.comdns
DNS Request
egainy.com
-
8.8.8.8:53iuinmz.comdns
DNS Request
iuinmz.com
-
8.8.8.8:53qypdea.comdns
DNS Request
qypdea.com
-
8.8.8.8:53zsesew.comdns
DNS Request
zsesew.com
-
8.8.8.8:53nailbz.comdns
DNS Request
nailbz.com
-
8.8.8.8:53gyrleo.comdns
DNS Request
gyrleo.com
-
8.8.8.8:53enliuu.comdns
DNS Request
enliuu.com
-
8.8.8.8:53wuaaxi.comdns
DNS Request
wuaaxi.com
-
8.8.8.8:53hbmsse.comdns
DNS Request
hbmsse.com
-
8.8.8.8:53vtluiv.comdns
DNS Request
vtluiv.com
-
8.8.8.8:53cbaowa.comdns
DNS Request
cbaowa.com
DNS Request
cbaowa.com
DNS Request
cbaowa.com
DNS Request
cbaowa.com
DNS Request
cbaowa.com
-
8.8.8.8:53151.122.125.40.in-addr.arpadns
DNS Request
151.122.125.40.in-addr.arpa
-
8.8.8.8:53dogxon.comdns
DNS Request
dogxon.com
DNS Response
202.254.238.20
-
8.8.8.8:53cutudj.comdns
DNS Request
cutudj.com
-
8.8.8.8:53fhsrxs.comdns
DNS Request
fhsrxs.com
-
8.8.8.8:53embmot.comdns
DNS Request
embmot.com
-
8.8.8.8:53zljufi.comdns
DNS Request
zljufi.com
-
8.8.8.8:53doqukc.comdns
DNS Request
doqukc.com
-
8.8.8.8:53meigdl.comdns
DNS Request
meigdl.com
DNS Response
104.21.47.223172.67.173.205
-
8.8.8.8:53ilo.brenz.pldns
DNS Request
ilo.brenz.pl
DNS Response
148.81.111.121
-
8.8.8.8:53ouyhgs.comdns
DNS Request
ouyhgs.com
-
8.8.8.8:53ariqte.comdns
DNS Request
ariqte.com
-
8.8.8.8:53ioqjfg.comdns
DNS Request
ioqjfg.com
-
8.8.8.8:53ttesaw.comdns
DNS Request
ttesaw.com
-
8.8.8.8:53jkwdfs.comdns
DNS Request
jkwdfs.com
-
8.8.8.8:53lzrktj.comdns
DNS Request
lzrktj.com
-
8.8.8.8:53keqyus.comdns
DNS Request
keqyus.com
-
8.8.8.8:53fvhkpu.comdns
DNS Request
fvhkpu.com
-
8.8.8.8:53argyoh.comdns
DNS Request
argyoh.com
-
8.8.8.8:53oyczkg.comdns
DNS Request
oyczkg.com
-
8.8.8.8:53bstoeo.comdns
DNS Request
bstoeo.com
-
8.8.8.8:53gguaxr.comdns
DNS Request
gguaxr.com
-
8.8.8.8:53hgzero.comdns
DNS Request
hgzero.com
DNS Response
154.31.45.113
-
8.8.8.8:53ant.trenz.pldns
DNS Request
ant.trenz.pl
DNS Response
148.81.111.121
-
8.8.8.8:53adomhh.comdns
DNS Request
adomhh.com
-
8.8.8.8:53dmcsdm.comdns
DNS Request
dmcsdm.com
-
8.8.8.8:53dyktyd.comdns
DNS Request
dyktyd.com
-
8.8.8.8:53jqrwrc.comdns
DNS Request
jqrwrc.com
-
8.8.8.8:53jqrpbv.comdns
DNS Request
jqrpbv.com
-
8.8.8.8:53mircge.comdns
DNS Request
mircge.com
-
8.8.8.8:53ssmovv.comdns
DNS Request
ssmovv.com
-
8.8.8.8:53kjirvh.comdns
DNS Request
kjirvh.com
-
8.8.8.8:53smpaza.comdns
DNS Request
smpaza.com
-
8.8.8.8:53wwqpst.comdns
DNS Request
wwqpst.com
-
8.8.8.8:53kbsvwu.comdns
DNS Request
kbsvwu.com
-
8.8.8.8:53vchaff.comdns
DNS Request
vchaff.com
-
8.8.8.8:53unsgbd.comdns
DNS Request
unsgbd.com
-
8.8.8.8:53yoyyst.comdns
DNS Request
yoyyst.com
-
8.8.8.8:53kbwnai.comdns
DNS Request
kbwnai.com
-
8.8.8.8:53zeezuu.comdns
DNS Request
zeezuu.com
DNS Response
3.64.163.50
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
-
Filesize
76KB