Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe
Resource
win7-20220901-en
General
-
Target
94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe
-
Size
410KB
-
MD5
0e265c41cf42ba3cb7fb893ff98da186
-
SHA1
3d7e4f5c12ecc284a92e6dcf1dd9c1603ec9e473
-
SHA256
94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc
-
SHA512
bede6020e2a83050691af1e0acd1bce5ae61777066380bb310d5bd5646c86b2d9c48137ae97601af769d2ee70ed32ee604ab9dd5100164260f0fd5919481b4fa
-
SSDEEP
6144:72EGyyn8t8qgCJs/IrELgoNPrpO7LIyPLldmbvuXMjR1y9lZpIM2cHheqKUhvRO5:7YqgN/IrEkoNk7L6zSZp9PQ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/800-133-0x0000000002D10000-0x0000000003D9E000-memory.dmp upx behavioral2/memory/800-134-0x0000000002D10000-0x0000000003D9E000-memory.dmp upx behavioral2/memory/800-138-0x0000000002D10000-0x0000000003D9E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp AdobeARM.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup AdobeARM.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe Token: SeDebugPrivilege 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3556 AdobeARM.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 800 wrote to memory of 780 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 77 PID 800 wrote to memory of 788 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 76 PID 800 wrote to memory of 1020 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 9 PID 800 wrote to memory of 2376 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 40 PID 800 wrote to memory of 2392 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 34 PID 800 wrote to memory of 2484 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 33 PID 800 wrote to memory of 3060 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 44 PID 800 wrote to memory of 3080 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 67 PID 800 wrote to memory of 3276 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 48 PID 800 wrote to memory of 3424 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 47 PID 800 wrote to memory of 3508 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 46 PID 800 wrote to memory of 3592 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 66 PID 800 wrote to memory of 3812 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 49 PID 800 wrote to memory of 4808 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 64 PID 800 wrote to memory of 3556 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 79 PID 800 wrote to memory of 3556 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 79 PID 800 wrote to memory of 3556 800 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe 79 PID 3556 wrote to memory of 1936 3556 AdobeARM.exe 90 PID 3556 wrote to memory of 1936 3556 AdobeARM.exe 90 PID 3556 wrote to memory of 1936 3556 AdobeARM.exe 90 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2392
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2376
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe"C:\Users\Admin\AppData\Local\Temp\94f3a3ef0d914aa3bbe8297eb065f5108820a8c4d7df5e455824ebd747e3dafc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:800 -
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"3⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"4⤵PID:1936
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3508
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3424
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3276
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4808
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3080
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358B
MD521819093a1f6294ed6c57e8545de5368
SHA18594599080d691cdb92273dc59e9d717b0dd3407
SHA256e25d9f42132ed346178257f61dff703f126b1fe2f125601edc6819d07d5e4bcc
SHA5127de8d4dcf9204dacbddb0216281ec22037fbc21fd4cf866f328709bbb5b58ae2d334598548e7ee2e64a4d38074ba61e0fcc6d56be34bdd3af880a356bcaf45c2