Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 18:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe
Resource
win7-20220901-en
windows7-x64
16 signatures
150 seconds
General
-
Target
42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe
-
Size
236KB
-
MD5
3570fcb1c153163194b558d0db591250
-
SHA1
794b170a924cee2a9349b11f8ab11e40ffd7ef5f
-
SHA256
42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b
-
SHA512
225b0ba45ad5ea53b77f742e8c8ba3432a1f9c3e79ab11a7d0838ae03600f3442c08338b1d2f533add7e303021f4a0ed685d6f110ce9fac36bba60f9a29ffa74
-
SSDEEP
6144:3Q3Im3YkuahFo/uM1GIKAs8LfffihaXV+l/wggD5a:vkXk1LKAs8TfihaXMGggY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
Executes dropped EXE 1 IoCs
pid Process 3636 DeleteFile.exe -
resource yara_rule behavioral2/memory/5016-133-0x0000000002350000-0x000000000340A000-memory.dmp upx behavioral2/memory/5016-134-0x0000000002350000-0x000000000340A000-memory.dmp upx behavioral2/memory/5016-136-0x0000000002350000-0x000000000340A000-memory.dmp upx behavioral2/memory/5016-141-0x0000000002350000-0x000000000340A000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation DeleteFile.exe -
Loads dropped DLL 1 IoCs
pid Process 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe File opened (read-only) \??\E: 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e56e11e 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe File opened for modification C:\Windows\SYSTEM.INI 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe Token: SeDebugPrivilege 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3636 DeleteFile.exe 3636 DeleteFile.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5016 wrote to memory of 780 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 9 PID 5016 wrote to memory of 788 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 19 PID 5016 wrote to memory of 332 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 11 PID 5016 wrote to memory of 2372 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 42 PID 5016 wrote to memory of 2380 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 43 PID 5016 wrote to memory of 2476 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 44 PID 5016 wrote to memory of 2228 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 54 PID 5016 wrote to memory of 3108 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 55 PID 5016 wrote to memory of 3308 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 80 PID 5016 wrote to memory of 3404 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 79 PID 5016 wrote to memory of 3512 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 77 PID 5016 wrote to memory of 3620 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 76 PID 5016 wrote to memory of 3824 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 75 PID 5016 wrote to memory of 4700 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 73 PID 5016 wrote to memory of 4344 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 57 PID 5016 wrote to memory of 3636 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 82 PID 5016 wrote to memory of 3636 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 82 PID 5016 wrote to memory of 3636 5016 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe 82 PID 3636 wrote to memory of 2104 3636 DeleteFile.exe 83 PID 3636 wrote to memory of 2104 3636 DeleteFile.exe 83 PID 3636 wrote to memory of 2104 3636 DeleteFile.exe 83 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2380
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2476
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe"C:\Users\Admin\AppData\Local\Temp\42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\DeleteFile.exeC:\Users\Admin\AppData\Local\Temp\DeleteFile.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DelFile.bat" "4⤵PID:2104
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3108
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4344
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4700
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3512
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3404
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88B
MD547b65094daedc3fed42669a8cd583556
SHA118568606d880bb090c5c54ed68b031f99fe02954
SHA256cf4839b27b260bbfaf89c1ce7ef6cc426cda4b5120d6adcf447a77b352913db8
SHA512ff2d7d2b2bebfde4eb331b4f94cbd39a9a238f2b8cd5d6f463c84ceedc5e372458ef402b960e2c6177de26a7e08193ea3a845c3eab3b002bcfe19bb5e5927f92
-
Filesize
236KB
MD5f4cee4ec36ad2cde717edd940528fba2
SHA1fc71db69abdc7679fb4e6b3ca31604a68a328ccf
SHA2562aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd
SHA512a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321
-
Filesize
236KB
MD5f4cee4ec36ad2cde717edd940528fba2
SHA1fc71db69abdc7679fb4e6b3ca31604a68a328ccf
SHA2562aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd
SHA512a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f