Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Resource
win7-20220812-en
General
-
Target
b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
-
Size
113KB
-
MD5
6945475e30633fe7b7423876857afebd
-
SHA1
f3fe43844e2153d123c29f5e446da2c54d2bb9ee
-
SHA256
b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b
-
SHA512
445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1
-
SSDEEP
3072:TQIDRTXJJmGz9AVvPBVWLGLC5uQ0cJRkw2cU:T/3mGRAJepUncJa
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 4296 Au_.exe -
resource yara_rule behavioral2/memory/3516-134-0x0000000002220000-0x000000000324A000-memory.dmp upx behavioral2/memory/3516-139-0x0000000002220000-0x000000000324A000-memory.dmp upx behavioral2/memory/4296-141-0x00000000049D0000-0x00000000059FA000-memory.dmp upx behavioral2/memory/4296-144-0x00000000049D0000-0x00000000059FA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe Au_.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe Au_.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe Au_.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe Au_.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
resource yara_rule behavioral2/files/0x0006000000022e06-136.dat nsis_installer_1 behavioral2/files/0x0006000000022e06-136.dat nsis_installer_2 behavioral2/files/0x0006000000022e06-137.dat nsis_installer_1 behavioral2/files/0x0006000000022e06-137.dat nsis_installer_2 behavioral2/files/0x0009000000022dff-143.dat nsis_installer_1 behavioral2/files/0x0009000000022dff-143.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe 4296 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Token: SeDebugPrivilege 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3516 wrote to memory of 768 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 79 PID 3516 wrote to memory of 776 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 78 PID 3516 wrote to memory of 1008 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 8 PID 3516 wrote to memory of 2308 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 50 PID 3516 wrote to memory of 2328 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 49 PID 3516 wrote to memory of 2416 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 48 PID 3516 wrote to memory of 2424 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 38 PID 3516 wrote to memory of 2948 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 37 PID 3516 wrote to memory of 3244 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 36 PID 3516 wrote to memory of 3352 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 35 PID 3516 wrote to memory of 3456 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 13 PID 3516 wrote to memory of 3552 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 34 PID 3516 wrote to memory of 3744 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 33 PID 3516 wrote to memory of 4820 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 30 PID 3516 wrote to memory of 2700 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 16 PID 3516 wrote to memory of 2268 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 14 PID 3516 wrote to memory of 4296 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 81 PID 3516 wrote to memory of 4296 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 81 PID 3516 wrote to memory of 4296 3516 b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe 81 PID 4296 wrote to memory of 768 4296 Au_.exe 79 PID 4296 wrote to memory of 776 4296 Au_.exe 78 PID 4296 wrote to memory of 1008 4296 Au_.exe 8 PID 4296 wrote to memory of 2308 4296 Au_.exe 50 PID 4296 wrote to memory of 2328 4296 Au_.exe 49 PID 4296 wrote to memory of 2416 4296 Au_.exe 48 PID 4296 wrote to memory of 2424 4296 Au_.exe 38 PID 4296 wrote to memory of 2948 4296 Au_.exe 37 PID 4296 wrote to memory of 3244 4296 Au_.exe 36 PID 4296 wrote to memory of 3352 4296 Au_.exe 35 PID 4296 wrote to memory of 3456 4296 Au_.exe 13 PID 4296 wrote to memory of 3552 4296 Au_.exe 34 PID 4296 wrote to memory of 3744 4296 Au_.exe 33 PID 4296 wrote to memory of 4820 4296 Au_.exe 30 PID 4296 wrote to memory of 2700 4296 Au_.exe 16 PID 4296 wrote to memory of 2268 4296 Au_.exe 14 PID 4296 wrote to memory of 1420 4296 Au_.exe 82 PID 4296 wrote to memory of 1420 4296 Au_.exe 82 PID 4296 wrote to memory of 1420 4296 Au_.exe 82 PID 4296 wrote to memory of 1420 4296 Au_.exe 82 PID 4296 wrote to memory of 2732 4296 Au_.exe 83 PID 4296 wrote to memory of 2732 4296 Au_.exe 83 PID 4296 wrote to memory of 2732 4296 Au_.exe 83 PID 4296 wrote to memory of 2732 4296 Au_.exe 83 PID 4296 wrote to memory of 768 4296 Au_.exe 79 PID 4296 wrote to memory of 776 4296 Au_.exe 78 PID 4296 wrote to memory of 1008 4296 Au_.exe 8 PID 4296 wrote to memory of 2308 4296 Au_.exe 50 PID 4296 wrote to memory of 2328 4296 Au_.exe 49 PID 4296 wrote to memory of 2416 4296 Au_.exe 48 PID 4296 wrote to memory of 2424 4296 Au_.exe 38 PID 4296 wrote to memory of 2948 4296 Au_.exe 37 PID 4296 wrote to memory of 3244 4296 Au_.exe 36 PID 4296 wrote to memory of 3352 4296 Au_.exe 35 PID 4296 wrote to memory of 3456 4296 Au_.exe 13 PID 4296 wrote to memory of 3552 4296 Au_.exe 34 PID 4296 wrote to memory of 3744 4296 Au_.exe 33 PID 4296 wrote to memory of 4820 4296 Au_.exe 30 PID 4296 wrote to memory of 2268 4296 Au_.exe 14 PID 4296 wrote to memory of 2732 4296 Au_.exe 83 PID 4296 wrote to memory of 2732 4296 Au_.exe 83 PID 4296 wrote to memory of 3484 4296 Au_.exe 84 PID 4296 wrote to memory of 3484 4296 Au_.exe 84 PID 4296 wrote to memory of 3484 4296 Au_.exe 84 PID 4296 wrote to memory of 3484 4296 Au_.exe 84 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3456
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2268
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2700
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3552
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2948
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe"C:\Users\Admin\AppData\Local\Temp\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4296 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:1420
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:2732
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:3484
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:3772
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:340
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:2208
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:1244
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:4120
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2328
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2308
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E56BD88_Rar\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Filesize53KB
MD5273d78e14fd846c2eabe42788ea7f550
SHA1a78c813af5237a521685e321b7d34870fe99f152
SHA256b786ff9afd3be4b1ee992dc68e32b70d52e19cee5bca7f6779ecd211aa55a5a4
SHA51240458559e8369c7096bf21f0975fdbde879da441c1f5026ec1877fa03ddc7f528e91ceb44a71fdc1b86ec39625d075568038a3f62417812c225c67ed6f90609b
-
Filesize
113KB
MD56945475e30633fe7b7423876857afebd
SHA1f3fe43844e2153d123c29f5e446da2c54d2bb9ee
SHA256b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b
SHA512445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1
-
Filesize
113KB
MD56945475e30633fe7b7423876857afebd
SHA1f3fe43844e2153d123c29f5e446da2c54d2bb9ee
SHA256b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b
SHA512445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1
-
Filesize
258B
MD5bb8ef8e7dcfaeb96be2de5d81ae0fd4b
SHA13cd6cc1a313c6d889c76ef822bb1d4b92dc70017
SHA256ae3bf4c85d244e531cf88e21917729d39e22c391ea51aad5cc3374596c4c1a5d
SHA512e8e1c849ab3fe3a77314c26811e3c0d4daf0828e4318a444de5dea3e27e68d5b38d498793037959324835cda60569b1c5f711b3a4f0066ff6d97e5be0c6a93b7