Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
224s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 15:57
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
6de48dc636e876d997534aa3c5a1b368
-
SHA1
02b08b739531593ac72dd2aa92b75e3466428b11
-
SHA256
bbaa30ea37df3080078f35ccd41e6e1c3fe66c81d7c80dda3cf5299af988122c
-
SHA512
23b1cdbfbc45b95e205f43e48028e5943a3a7c7c9960291e16ce34dafcb53e0e679523f30cb739bf8926355d3eb7d817d5b97c1fc722b192d9cac2925cb6380c
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+WwPIC:5Zv5PDwbjNrmAE+W0IC
Malware Config
Extracted
discordrat
-
discord_token
MTI4NjcwOTYwMTQwNzg2MDc3Nw.GdbB5d.SstzGRfJxvsS7oS6I1M3fQK9g8R5_he-FnX100
-
server_id
1286709234360385586
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 64 created 316 64 WerFault.exe 13 -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 1612 created 616 1612 Client-built.exe 5 PID 832 created 616 832 svchost.exe 5 PID 832 created 672 832 svchost.exe 7 PID 832 created 316 832 svchost.exe 13 -
Downloads MZ/PE file
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 57 discord.com 18 discord.com 21 discord.com 37 discord.com 17 discord.com 59 raw.githubusercontent.com 60 discord.com 62 discord.com 64 discord.com 39 discord.com 58 raw.githubusercontent.com 63 raw.githubusercontent.com 56 discord.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1612 set thread context of 4964 1612 Client-built.exe 92 -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1612 Client-built.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 1612 Client-built.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 3468 WerFault.exe 3468 WerFault.exe 4964 dllhost.exe 4964 dllhost.exe 224 WerFault.exe 224 WerFault.exe 4964 dllhost.exe 4964 dllhost.exe 1612 Client-built.exe 832 svchost.exe 832 svchost.exe 832 svchost.exe 832 svchost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 1932 WerFault.exe 1932 WerFault.exe 1612 Client-built.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 1612 Client-built.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 1612 Client-built.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe 4964 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 1612 Client-built.exe Token: SeDebugPrivilege 1612 Client-built.exe Token: SeDebugPrivilege 4964 dllhost.exe Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeAuditPrivilege 2760 svchost.exe Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE Token: SeShutdownPrivilege 3504 Explorer.EXE Token: SeCreatePagefilePrivilege 3504 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3504 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 1612 wrote to memory of 4964 1612 Client-built.exe 92 PID 4964 wrote to memory of 616 4964 dllhost.exe 5 PID 4964 wrote to memory of 672 4964 dllhost.exe 7 PID 4964 wrote to memory of 960 4964 dllhost.exe 12 PID 4964 wrote to memory of 316 4964 dllhost.exe 13 PID 4964 wrote to memory of 516 4964 dllhost.exe 16 PID 4964 wrote to memory of 1136 4964 dllhost.exe 17 PID 4964 wrote to memory of 1144 4964 dllhost.exe 18 PID 4964 wrote to memory of 1152 4964 dllhost.exe 19 PID 4964 wrote to memory of 1212 4964 dllhost.exe 20 PID 4964 wrote to memory of 1224 4964 dllhost.exe 21 PID 4964 wrote to memory of 1284 4964 dllhost.exe 22 PID 4964 wrote to memory of 1364 4964 dllhost.exe 23 PID 4964 wrote to memory of 1388 4964 dllhost.exe 24 PID 4964 wrote to memory of 1464 4964 dllhost.exe 25 PID 4964 wrote to memory of 1572 4964 dllhost.exe 26 PID 4964 wrote to memory of 1580 4964 dllhost.exe 27 PID 4964 wrote to memory of 1660 4964 dllhost.exe 28 PID 4964 wrote to memory of 1720 4964 dllhost.exe 29 PID 4964 wrote to memory of 1752 4964 dllhost.exe 30 PID 4964 wrote to memory of 1760 4964 dllhost.exe 31 PID 4964 wrote to memory of 1856 4964 dllhost.exe 32 PID 4964 wrote to memory of 1968 4964 dllhost.exe 33 PID 4964 wrote to memory of 1976 4964 dllhost.exe 34 PID 4964 wrote to memory of 2000 4964 dllhost.exe 35 PID 4964 wrote to memory of 1616 4964 dllhost.exe 36 PID 4964 wrote to memory of 1884 4964 dllhost.exe 37 PID 4964 wrote to memory of 2140 4964 dllhost.exe 38 PID 4964 wrote to memory of 2156 4964 dllhost.exe 39 PID 4964 wrote to memory of 2252 4964 dllhost.exe 41 PID 4964 wrote to memory of 2488 4964 dllhost.exe 42 PID 4964 wrote to memory of 2504 4964 dllhost.exe 43 PID 4964 wrote to memory of 2628 4964 dllhost.exe 44 PID 4964 wrote to memory of 2636 4964 dllhost.exe 45 PID 4964 wrote to memory of 2652 4964 dllhost.exe 46 PID 4964 wrote to memory of 2708 4964 dllhost.exe 47 PID 4964 wrote to memory of 2760 4964 dllhost.exe 48 PID 4964 wrote to memory of 2796 4964 dllhost.exe 49 PID 4964 wrote to memory of 2816 4964 dllhost.exe 50 PID 4964 wrote to memory of 2824 4964 dllhost.exe 51 PID 4964 wrote to memory of 2840 4964 dllhost.exe 52 PID 4964 wrote to memory of 2964 4964 dllhost.exe 53 PID 4964 wrote to memory of 3396 4964 dllhost.exe 55 PID 4964 wrote to memory of 3504 4964 dllhost.exe 56 PID 4964 wrote to memory of 3612 4964 dllhost.exe 57 PID 4964 wrote to memory of 3804 4964 dllhost.exe 58 PID 4964 wrote to memory of 3956 4964 dllhost.exe 60 PID 4964 wrote to memory of 4188 4964 dllhost.exe 62 PID 4964 wrote to memory of 4444 4964 dllhost.exe 65 PID 4964 wrote to memory of 4392 4964 dllhost.exe 67 PID 4964 wrote to memory of 3204 4964 dllhost.exe 68 PID 4964 wrote to memory of 4452 4964 dllhost.exe 69 PID 4964 wrote to memory of 4128 4964 dllhost.exe 70 PID 4964 wrote to memory of 4680 4964 dllhost.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 316 -s 26843⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6b5ffcb7-1986-47bd-aa61-84d8f677cc50}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 616 -s 11402⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 672 -s 43562⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3468
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1152
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1364
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2488
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3836
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:1640
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3164
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3192
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:4952
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:4768
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1884
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2140
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2156
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2840
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3396
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:3204
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4452
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5116
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1344
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:832 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 316 -ip 3162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:64
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 616 -ip 6162⤵PID:440
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 672 -ip 6722⤵PID:4776
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5e82dc2e019283f2017f4928777111c73
SHA154b51da5de02c5376102565ada7634d7ba2ae565
SHA25623bb543c4f5c2c57b16c4af30c371262681b9ca436d67e1b5454bf62bf176bc2
SHA51204053282a5b8471220cb0d9e1cd34e2d3c907d9f28c4267380c7aec4f2179648656309e16f465c3f244e67de552431f1adaa83b4a9ada38b02aa15ec7b4bff46
-
Filesize
13KB
MD5209aa3a88e7ecda0b9d582b0b25cd8a7
SHA1380b18ead44798a53bef5f48e318fd32c0233f68
SHA256d567c6d55560d2906c0a3a192ebdf40e6a61bc78cd8762fb6bb22398b75067a9
SHA512e836b3f5a033ff16baf1dcb6432e826a9c6586c002d7842f9e1312319136943d1d17227ea15ba3c720d1af515c81e533bac054f011aba12ad967eb643b9c82cf
-
Filesize
36KB
MD5521cd9406e97eb46fb43bf4a325d63b7
SHA18a39b8243487eb96018ca08ac91f5fb272e07e69
SHA25642d36d2550bb63684fd2064792a5008a6f54e4745c8b24d0bc6311dceea463ef
SHA5123bada8dff7435369c727dc6ac49a0d9803eb52c1fa0faebff625a61e39a6b9505a7e96d532d49f4ec8f5bc9311002844935b7ae0bc07e10601150888d5bc7849
-
Filesize
13KB
MD5553790f878759733fb35b1c477ce6a1d
SHA19893f83d44e1f65451e5a90600c18bb0779df080
SHA2563b874d2c56cc23cbda56dee681df5c3bbb37feda736c26e9cd0d0e35de653563
SHA5122e89b764849974ba6a5fa039b72c2a49a65dd7800162a188f8230cba033f73c78b96441bd16f2c9ff57ac14ef29aa274ad4aa9228fb07fd8ca44ab5d8299d3f7
-
Filesize
36KB
MD568828124cbc8a375676206a0332d2d61
SHA1c1575301c7c43d1840a8c9d6a385666754641bfe
SHA2567a8e6bf9b599338d9c28a17a903b5c4816305d758b59563beb96892e04ac3473
SHA5120d83e6b094581f76a2f48d25d40138894e6f3b01e7a1b7d9537389373e0c9c65cec978c599a3db0db1e7c5ee559d10ff3218d9d5938531fe432fc7101ed9569e
-
Filesize
13KB
MD508a9ae996867f3bbb51634e29adcb3dc
SHA19b02daf7c176d17b37a461196c8278e1cac38410
SHA2562ddad288fa4e7ed46878d82863540f9b457ad2d7835027ed5b887b7b62b3be57
SHA5120e054e929b5c2f731370968d7f44c9089fa90382a4dbd5bc64e5e5e58962a7e25babb3b3e8e8ca013abf3fd954e59c118ef8a512630f620d3c86b47c2c43815a