Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 02:58
Static task
static1
Behavioral task
behavioral1
Sample
412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe
Resource
win7-20220812-en
windows7-x64
15 signatures
150 seconds
General
-
Target
412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe
-
Size
403KB
-
MD5
8152e41cb3df06852ae3ff5b0056f4d0
-
SHA1
21c9ea8768cfa922988de5fe6dbc88fbee64ec1b
-
SHA256
412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84
-
SHA512
94fae3373dfb5bbe8e499a1b651a2566cdd37d09b013c61f43f6aee0042a30eb8e36f6e154484cf7105a13ba8bc12b0ab9cd2fd7067f190364e8596636deb2df
-
SSDEEP
6144:j2EGyyn8t8qgCJsHIrELgoNPrpO7LIyPLldmbvuXMjR1y9lZpylPnRJHWV:jYqgNHIrEkoNk7L6zSZpkPno
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/2880-132-0x0000000002820000-0x00000000038AE000-memory.dmp upx behavioral2/memory/2880-137-0x0000000002820000-0x00000000038AE000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp AdobeARM.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup AdobeARM.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe Token: SeDebugPrivilege 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2308 AdobeARM.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2880 wrote to memory of 784 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 8 PID 2880 wrote to memory of 792 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 77 PID 2880 wrote to memory of 312 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 10 PID 2880 wrote to memory of 2320 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 58 PID 2880 wrote to memory of 2336 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 57 PID 2880 wrote to memory of 2448 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 56 PID 2880 wrote to memory of 2984 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 47 PID 2880 wrote to memory of 2840 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 46 PID 2880 wrote to memory of 3264 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 45 PID 2880 wrote to memory of 3356 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 44 PID 2880 wrote to memory of 3424 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 24 PID 2880 wrote to memory of 3516 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 43 PID 2880 wrote to memory of 3692 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 42 PID 2880 wrote to memory of 4596 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 39 PID 2880 wrote to memory of 4560 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 28 PID 2880 wrote to memory of 1492 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 26 PID 2880 wrote to memory of 2308 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 79 PID 2880 wrote to memory of 2308 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 79 PID 2880 wrote to memory of 2308 2880 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe 79 PID 2308 wrote to memory of 2100 2308 AdobeARM.exe 89 PID 2308 wrote to memory of 2100 2308 AdobeARM.exe 89 PID 2308 wrote to memory of 2100 2308 AdobeARM.exe 89 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:312
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3424
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1492
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4560
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4596
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3692
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3516
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3356
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2840
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe"C:\Users\Admin\AppData\Local\Temp\412c43b4f826b1a506f64e96b49e98caffc35fafa6a10592b03299c261933d84.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880 -
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"3⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"4⤵PID:2100
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2320
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358B
MD5b1a863be203a9c728412b7419f967098
SHA1fd463f98a090f675f5b8d293d71688aad2d87aa0
SHA256f6b4f1003f691257e1a7a71c860eb82ef4d4f8dec5c888d801352d309b501b05
SHA5123252253df5a592b4531ec59f2701aa9a6370589e9755548f795c3afbf6d3537c8b1358f7459fa6319134f8a51c2efd46d82e3b921571642490f236cad44e7a62