Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 17:14
Behavioral task
behavioral1
Sample
ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe
Resource
win10v2004-20231215-en
General
-
Target
ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe
-
Size
42KB
-
MD5
f3049a990188c25ec80626c4475521dd
-
SHA1
7c697f2c2dfa1f92bf8d51e2f17ed41fac9366e3
-
SHA256
ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb
-
SHA512
8caf5e5098079b0331ccd10f89bdd9e70c60f70fac41327bdfb121f6e09f3a298f9abc073258fbbf00822c2556c7aa0d4dd124b6099728d4dd24d7d38cbb5eec
-
SSDEEP
768:gO1oR/lVS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDEimA7tgA3WKi:gzS1FKnDtkuIm4ABPWD
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (2995) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2596 wbadmin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\+README-WARNING+.txt ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Magadan ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\+README-WARNING+.txt ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.catalog ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\jaccess.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif.[A59E3B00].[[email protected]].mkp ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmpnssci.dll.mui ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\currency.css ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2284 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2084 ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2824 vssvc.exe Token: SeRestorePrivilege 2824 vssvc.exe Token: SeAuditPrivilege 2824 vssvc.exe Token: SeBackupPrivilege 3044 wbengine.exe Token: SeRestorePrivilege 3044 wbengine.exe Token: SeSecurityPrivilege 3044 wbengine.exe Token: SeIncreaseQuotaPrivilege 2888 WMIC.exe Token: SeSecurityPrivilege 2888 WMIC.exe Token: SeTakeOwnershipPrivilege 2888 WMIC.exe Token: SeLoadDriverPrivilege 2888 WMIC.exe Token: SeSystemProfilePrivilege 2888 WMIC.exe Token: SeSystemtimePrivilege 2888 WMIC.exe Token: SeProfSingleProcessPrivilege 2888 WMIC.exe Token: SeIncBasePriorityPrivilege 2888 WMIC.exe Token: SeCreatePagefilePrivilege 2888 WMIC.exe Token: SeBackupPrivilege 2888 WMIC.exe Token: SeRestorePrivilege 2888 WMIC.exe Token: SeShutdownPrivilege 2888 WMIC.exe Token: SeDebugPrivilege 2888 WMIC.exe Token: SeSystemEnvironmentPrivilege 2888 WMIC.exe Token: SeRemoteShutdownPrivilege 2888 WMIC.exe Token: SeUndockPrivilege 2888 WMIC.exe Token: SeManageVolumePrivilege 2888 WMIC.exe Token: 33 2888 WMIC.exe Token: 34 2888 WMIC.exe Token: 35 2888 WMIC.exe Token: SeIncreaseQuotaPrivilege 2888 WMIC.exe Token: SeSecurityPrivilege 2888 WMIC.exe Token: SeTakeOwnershipPrivilege 2888 WMIC.exe Token: SeLoadDriverPrivilege 2888 WMIC.exe Token: SeSystemProfilePrivilege 2888 WMIC.exe Token: SeSystemtimePrivilege 2888 WMIC.exe Token: SeProfSingleProcessPrivilege 2888 WMIC.exe Token: SeIncBasePriorityPrivilege 2888 WMIC.exe Token: SeCreatePagefilePrivilege 2888 WMIC.exe Token: SeBackupPrivilege 2888 WMIC.exe Token: SeRestorePrivilege 2888 WMIC.exe Token: SeShutdownPrivilege 2888 WMIC.exe Token: SeDebugPrivilege 2888 WMIC.exe Token: SeSystemEnvironmentPrivilege 2888 WMIC.exe Token: SeRemoteShutdownPrivilege 2888 WMIC.exe Token: SeUndockPrivilege 2888 WMIC.exe Token: SeManageVolumePrivilege 2888 WMIC.exe Token: 33 2888 WMIC.exe Token: 34 2888 WMIC.exe Token: 35 2888 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2792 2084 ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe 29 PID 2084 wrote to memory of 2792 2084 ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe 29 PID 2084 wrote to memory of 2792 2084 ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe 29 PID 2084 wrote to memory of 2792 2084 ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe 29 PID 2792 wrote to memory of 2284 2792 cmd.exe 31 PID 2792 wrote to memory of 2284 2792 cmd.exe 31 PID 2792 wrote to memory of 2284 2792 cmd.exe 31 PID 2792 wrote to memory of 2596 2792 cmd.exe 34 PID 2792 wrote to memory of 2596 2792 cmd.exe 34 PID 2792 wrote to memory of 2596 2792 cmd.exe 34 PID 2792 wrote to memory of 2888 2792 cmd.exe 38 PID 2792 wrote to memory of 2888 2792 cmd.exe 38 PID 2792 wrote to memory of 2888 2792 cmd.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe"C:\Users\Admin\AppData\Local\Temp\ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe"C:\Users\Admin\AppData\Local\Temp\ee7fa7fb7150d26c98b2e0f49dbf7cc29c3dcd647a4bc081f982292085978aeb.exe" n20842⤵PID:2088
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2284
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2596
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2548
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2872
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51153e4686b08b07f2cdfb9f92d4f5f3c
SHA1c41e34fe5cd89e15facbcf30793667359b1bb34f
SHA256b637f87fab2337156ffd729db35507f9ce35d5c356ee9f2e10b3d4076fbb033a
SHA5121a26340b5717aef543383d210d6929c639b6e6cec30b2afb1698197a6ab0940002f6afa8f11168b0bbf94bd4b86b920ff20f3a722b3873cca447c3e17ef31440