Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
Resource
win7-20240903-en
General
-
Target
6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
-
Size
16KB
-
MD5
acfdf588da4f3d02f8b4e6db8cc9e60d
-
SHA1
71bc876820b36d478f65cb9f236499d8c98a7fdd
-
SHA256
6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
-
SHA512
3698487d35e5d12d013c4f986375191e645038fa3199d7950c03370c085533aa6da2710ab2c9b7f200d5625c90b39bb5580fbf0dfced9cad6ebac86e001d83b8
-
SSDEEP
384:eRc06pZg1jOAJO0lsJeho4ZbP5bvGINB9FlbP4Nk:qX6pZgAiO0Be49RlNB9XbQK
Malware Config
Extracted
xworm
5.0
127.0.0.1:8895
162.230.48.189:8895
ZRGtN7NDh24Vx89x
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2528-1110-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4852 created 3392 4852 tmpBCD8.tmp.exe 56 PID 1740 created 3392 1740 tmp7BA3.tmp.exe 56 -
Xworm family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation coiiic.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation tmp7BA3.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReturnType.vbs tmpBCD8.tmp.exe -
Executes dropped EXE 3 IoCs
pid Process 4852 tmpBCD8.tmp.exe 2564 coiiic.exe 1740 tmp7BA3.tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\github_install = "C:\\Users\\Admin\\AppData\\Roaming\\github_install.exe" tmp7BA3.tmp.exe -
pid Process 452 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4852 set thread context of 2528 4852 tmpBCD8.tmp.exe 88 PID 1740 set thread context of 4784 1740 tmp7BA3.tmp.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7BA3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBCD8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coiiic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4852 tmpBCD8.tmp.exe 1740 tmp7BA3.tmp.exe 1740 tmp7BA3.tmp.exe 452 powershell.exe 452 powershell.exe 4188 msedge.exe 4188 msedge.exe 2192 msedge.exe 2192 msedge.exe 1740 tmp7BA3.tmp.exe 1740 tmp7BA3.tmp.exe 1740 tmp7BA3.tmp.exe 1984 identity_helper.exe 1984 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4680 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe Token: SeDebugPrivilege 4852 tmpBCD8.tmp.exe Token: SeDebugPrivilege 4852 tmpBCD8.tmp.exe Token: SeDebugPrivilege 2528 InstallUtil.exe Token: SeDebugPrivilege 2564 coiiic.exe Token: SeDebugPrivilege 1740 tmp7BA3.tmp.exe Token: SeDebugPrivilege 452 powershell.exe Token: SeDebugPrivilege 1740 tmp7BA3.tmp.exe Token: SeDebugPrivilege 4784 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4680 wrote to memory of 4852 4680 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe 87 PID 4680 wrote to memory of 4852 4680 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe 87 PID 4680 wrote to memory of 4852 4680 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe 87 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 4852 wrote to memory of 2528 4852 tmpBCD8.tmp.exe 88 PID 2528 wrote to memory of 2564 2528 InstallUtil.exe 99 PID 2528 wrote to memory of 2564 2528 InstallUtil.exe 99 PID 2528 wrote to memory of 2564 2528 InstallUtil.exe 99 PID 2564 wrote to memory of 1740 2564 coiiic.exe 100 PID 2564 wrote to memory of 1740 2564 coiiic.exe 100 PID 2564 wrote to memory of 1740 2564 coiiic.exe 100 PID 1740 wrote to memory of 452 1740 tmp7BA3.tmp.exe 102 PID 1740 wrote to memory of 452 1740 tmp7BA3.tmp.exe 102 PID 1740 wrote to memory of 452 1740 tmp7BA3.tmp.exe 102 PID 452 wrote to memory of 2192 452 powershell.exe 104 PID 452 wrote to memory of 2192 452 powershell.exe 104 PID 2192 wrote to memory of 4144 2192 msedge.exe 105 PID 2192 wrote to memory of 4144 2192 msedge.exe 105 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106 PID 2192 wrote to memory of 1516 2192 msedge.exe 106
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe"C:\Users\Admin\AppData\Local\Temp\6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\coiiic.exe"C:\Users\Admin\AppData\Local\Temp\coiiic.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://trashycontinuousbubbly.com/wkhy5rzh2v?key=8f87e6d0bc0d653ad051bd077c8dd5ad"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://trashycontinuousbubbly.com/wkhy5rzh2v?key=8f87e6d0bc0d653ad051bd077c8dd5ad6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee90546f8,0x7ffee9054708,0x7ffee90547187⤵PID:4144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:27⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:87⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:17⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:17⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:87⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:17⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:17⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:17⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:17⤵PID:4296
-
-
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
5KB
MD562972f09b9f7128e9185854af2eb50cc
SHA166e05b291e1f833ae5098cd451075a602a8e0b39
SHA256c220eac787a412fe564684e365d962c7711ba6d20cf22ae62f15d229efb72cdf
SHA5123a274c7199eee5e4c72b03e3b29660d3b766ba96f60a9d855f96d9264c4c9b345474273e5eec99ec74a54c39e555635cd9c651eb75a6bf83f9aa60ad85c87138
-
Filesize
6KB
MD502ad081149b460ac00d56c9491a119a6
SHA18dffdfd9bdd0c2d1c3fd00ee793098258ecc3e38
SHA2564c58851d6697e688346c7979e0899537f70377cf630720677f496b7487c9ed5d
SHA51207c582e9ff19e6aeef250c5ab8321b6847533af553d1b0fb18a136ade39ae716173b4a8919b328e846d86869e8073700602ef728828d9cecc067e356c7173b02
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5ecb0d78f1ac6fd3b59e27f356062bdad
SHA1d1739ca1b1c1370769495131e5f8383fc0a25b06
SHA25694651e3e3feda485c11ca78294f6b1fd9f7b402ac8f6e1aa4b8880e1ffbad542
SHA5129dfa47a497dcae7865ef5201cb37e69cad83ca88d2a6db135e61f6135daca0ba2f24e9f5a14bca2dbd7ffe877140d9fe46c47b1f255c6396eabe0934875fb9e8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD5a935a6bef40cd45cac42da267be89cf7
SHA13a861c7dd590ef58b5d14d0d7f614cc05d4f9446
SHA2563e2b0853a60dbe619179aca70b5c560cc81bb1bff1fb9eb18c92442ffb5f7646
SHA512facc4774bad84df1bc84e2f60531482d93496cf250979168368dcdae8f68164beaff93901776ad1da366653c9b55e686ba41db3ae85c49f08178168c65cb1ce3
-
Filesize
1.4MB
MD5d53cbe20ab628a9619459367ba42ae5c
SHA122a66b3eecf462519abc249bda2e4b28439fc639
SHA256a2405a789ade187fe954ae0e9c82fb97ccfbd306bf5b1591e2b8a29e0555ea4b
SHA512ca02bf41e682cc526aeff93d7527812b9903bc61296170ca313939fe7e7daf4ea6dffc81daeac137c6d6d651a7d98ee60408053415bcdd1b662dad4f4a11eca8
-
Filesize
1.3MB
MD5a4c1ea4b6e69e69462efa7659ff6f48c
SHA1cf71024bf28f10f63bf7cd27dba64d406c2ed97c
SHA2561abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
SHA512be527013711f308bb9a0deb65b11066570e86cee896041d55556dc8566a2476bc96ab089ca155030397d95fd8d358170bc2f5b0bf97efd579dd464b1ca803507