Analysis
-
max time kernel
112s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 23:34
Static task
static1
Behavioral task
behavioral1
Sample
608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe
Resource
win7-20220812-en
windows7-x64
15 signatures
150 seconds
General
-
Target
608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe
-
Size
979KB
-
MD5
61f4e9350bb8c30207fdcad34a719a1c
-
SHA1
99f82c612f4d20549fc750a661130fc8610c4733
-
SHA256
608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f
-
SHA512
97a7162287e574116b81874b93bd23361d618702e479cad4bb695264c169bd370b3dfc572ca4f182c1e5aa41eb44d36a20b67c2247826c90511b08878e139737
-
SSDEEP
24576:XinYcjntnpksVzSEQR+Ms+5RY2ZpmAPCajNqEp86ECJn20U:TCpksVF3S5f+APCwpRA0U
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
Executes dropped EXE 1 IoCs
pid Process 4908 is-R9B0P.tmp -
resource yara_rule behavioral2/memory/4936-132-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4936-137-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4936-139-0x00000000022D0000-0x000000000335E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe Token: SeDebugPrivilege 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4908 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 82 PID 4936 wrote to memory of 4908 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 82 PID 4936 wrote to memory of 4908 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 82 PID 4936 wrote to memory of 776 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 8 PID 4936 wrote to memory of 784 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 80 PID 4936 wrote to memory of 328 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 9 PID 4936 wrote to memory of 2772 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 41 PID 4936 wrote to memory of 2808 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 40 PID 4936 wrote to memory of 2924 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 38 PID 4936 wrote to memory of 1040 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 37 PID 4936 wrote to memory of 3080 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 36 PID 4936 wrote to memory of 3292 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 13 PID 4936 wrote to memory of 3380 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 12 PID 4936 wrote to memory of 3452 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 11 PID 4936 wrote to memory of 3560 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 14 PID 4936 wrote to memory of 3752 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 35 PID 4936 wrote to memory of 4616 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 31 PID 4936 wrote to memory of 5108 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 16 PID 4936 wrote to memory of 4492 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 33 PID 4936 wrote to memory of 4908 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 82 PID 4936 wrote to memory of 4908 4936 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe 82 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:328
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3452
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3380
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3292
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3560
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5108
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4616
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4492
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3080
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe"C:\Users\Admin\AppData\Local\Temp\608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\is-PB1DA.tmp\is-R9B0P.tmp"C:\Users\Admin\AppData\Local\Temp\is-PB1DA.tmp\is-R9B0P.tmp" /SL4 $40162 "C:\Users\Admin\AppData\Local\Temp\608301a9d0e0e0eb6ed8546ef9faf0fd213d09c959612b499813170d9302f02f.exe" 695698 517123⤵
- Executes dropped EXE
PID:4908
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2808
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
616KB
MD50e5fd0fc130e2380b08edca8f822f382
SHA1e36aacde42ac8f297d3bffb379c021639ef4c06a
SHA256d3f6c4e1b8e6d11661d4bdf79b438382bb5951e7a42cedbcac3ebbe88012373c
SHA512efaabebb37413eb2a689be4070827dbeb9ba8f88f6a90a3ed33225c68eb02e43e4760dcfdf3e59eba589db0519e9ac447035ef9b3822c0414ccebdc79a5bde37
-
Filesize
616KB
MD50e5fd0fc130e2380b08edca8f822f382
SHA1e36aacde42ac8f297d3bffb379c021639ef4c06a
SHA256d3f6c4e1b8e6d11661d4bdf79b438382bb5951e7a42cedbcac3ebbe88012373c
SHA512efaabebb37413eb2a689be4070827dbeb9ba8f88f6a90a3ed33225c68eb02e43e4760dcfdf3e59eba589db0519e9ac447035ef9b3822c0414ccebdc79a5bde37