Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 08:35
Static task
static1
Behavioral task
behavioral1
Sample
a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe
Resource
win7-20221111-en
windows7-x64
14 signatures
150 seconds
General
-
Target
a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe
-
Size
126KB
-
MD5
21f0272ed15877dceaa41edc7e05dc31
-
SHA1
aab2dbda4c81f649bb9f1387545fee09a6955484
-
SHA256
a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7
-
SHA512
86458c9d0b67e1642f12c36f75c4a623849b4e0d6336f54f7ed5d456554cb12995eeab1ff558b77cf41b8b70ca4f5584862e760ffc46ddf914088b95278c1bbb
-
SSDEEP
3072:YLTJeFIQW0qP/K0LM5ITVCpcPFyPOfr0mH3+:YLOIQHqP/9gBWtkmX+
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
resource yara_rule behavioral2/memory/4756-132-0x0000000002460000-0x00000000034EE000-memory.dmp upx behavioral2/memory/4756-134-0x0000000002460000-0x00000000034EE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe Token: SeDebugPrivilege 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4756 wrote to memory of 788 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 8 PID 4756 wrote to memory of 792 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 13 PID 4756 wrote to memory of 1016 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 10 PID 4756 wrote to memory of 2456 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 31 PID 4756 wrote to memory of 2532 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 67 PID 4756 wrote to memory of 2788 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 64 PID 4756 wrote to memory of 2704 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 33 PID 4756 wrote to memory of 2904 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 62 PID 4756 wrote to memory of 3264 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 61 PID 4756 wrote to memory of 3364 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 60 PID 4756 wrote to memory of 3428 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 34 PID 4756 wrote to memory of 3516 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 59 PID 4756 wrote to memory of 3696 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 58 PID 4756 wrote to memory of 4628 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 35 PID 4756 wrote to memory of 5092 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 48 PID 4756 wrote to memory of 524 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 45 PID 4756 wrote to memory of 1456 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 42 PID 4756 wrote to memory of 2288 4756 a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe 41 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2456
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe"C:\Users\Admin\AppData\Local\Temp\a7f5d39ea0c7877c28f2e07009f3acfc05da1a43fe37e3319d4047fe148421e7.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4756
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4628
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2288
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1456
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:524
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:5092
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3516
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3364
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2904
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2532