Analysis
-
max time kernel
148s -
max time network
152s -
resource
win10v191014
Task
task1
Sample
084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe
Resource
win10v191014
0 signatures
General
-
Target
084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e
-
Sample
191025-f6pl6zcd7e
-
SHA256
084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e
Score
N/A
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exedescription pid process target process PID 4984 set thread context of 992 4984 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2876 created 4984 2876 svchost.exe 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
WerFault.exesvchost.exeWerFault.exepid process 4008 WerFault.exe 2876 svchost.exe 4712 WerFault.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 6 IoCs
Processes:
WerFault.exeWerFault.exesvchost.exedescription ioc pid process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4008 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4008 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4712 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4712 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3060 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3060 svchost.exe -
Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 12 IoCs
Processes:
svchost.exesvchost.exedescription ioc pid process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 4556 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID 4556 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs 4556 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 4556 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID 4556 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs 4556 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 3660 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID 3660 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs 3660 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 3660 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID 3660 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs 3660 svchost.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc pid process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4008 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4008 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 4008 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 4008 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4712 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4712 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 4712 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 4712 WerFault.exe -
Checks processor information in registry (likely anti-VM) 2 TTPs 4 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc pid process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4008 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4008 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4712 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4712 WerFault.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4712 created 4984 4712 WerFault.exe 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe -
Drops file in system dir 5 IoCs
Processes:
svchost.exedescription ioc pid process File opened for modification C:\Windows\Debug\ESE.TXT 3960 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3960 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3960 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3960 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3960 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SppExtComObj.exe084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exesvchost.exedescription pid process target process PID 1948 wrote to memory of 1572 1948 SppExtComObj.exe SLUI.exe PID 4984 wrote to memory of 992 4984 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe PID 2876 wrote to memory of 4008 2876 svchost.exe WerFault.exe PID 2876 wrote to memory of 4712 2876 svchost.exe WerFault.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid process 4008 WerFault.exe 4712 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exesvchost.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4008 WerFault.exe Token: SeBackupPrivilege 4008 WerFault.exe Token: SeDebugPrivilege 4008 WerFault.exe Token: SeSystemEnvironmentPrivilege 3660 svchost.exe Token: SeDebugPrivilege 4712 WerFault.exe -
Checks processor name in registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc pid process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4008 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4712 WerFault.exe -
Modifies service 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc pid process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITSd301d925-c37f-41a3-aa52-70ce16d19de7" 3960 svchost.exe -
Processes:
svchost.exedescription ioc pid process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060 4556 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060\Blob = 0300000001000000140000000217922ca1b6f0bd0f1d7ff6e7bdc29b2faaa06020000000010000001e0300003082031a308202daa003020102020900bebbcc34c2a99a43300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3133303730323231313033375a170d3138303730313231313033375a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b63082012b06072a8648ce3804013082011e02818100f3e2f36f1d350881275aa7c5f7e8c357a650ef20dc32b53ca779842dcbfc152228c1e764019c55ca7bf8a0116ccca93636dc681161c8188f79f985cce6b1a8aaf44dffd3ea6c2d60fd80eefd084c4a09c4b9784cf3ccf638ca8cca937fbaee6d472cad4ee2d5ddda4e653184e512d9846c770abdc5e4945ce5686c513bf38f150215009fd788154563df5ca8c78a354278fc70394e37fb0281803a769d0b37f784c6f1af668ffa7b2d0b53debfac0e64db8244f4c1793e9e34cac020047d3df0563ddefd171ab2fd6af49f7d3616c285cc422590c3a6f0cae0dd3987c3f310a5efe0f127f406416e983ec649e835e1006e2fccf48474b90e82cb67cb62608ed42f2ec45b71803d63dbd63101b8a490fd1ab091976ef4bb176a65038184000281806ed2b8b1d12b8846c32236833769cb554bcd3809bfd684c8bdacfb500ca500327185560ccc83d9ae13580fa72aa9fd36eccaa9fd79861245cc591b4e7dcf047847e82d5946829638473927236142f9aa5d99ec33714677492e39784264f486ada6b028837db599a58e512e376c52470b1cb8991793783499e772de6678db2be3a38198308195301d0603551d0e0416041446d2c25b3e033423792e171c0019284c71102b6430530603551d23044c304a801446d2c25b3e033423792e171c0019284c71102b64a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bebbcc34c2a99a4330120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c02140b7937349b7de4b8750855cd40ef4bbb2d3145a9021417408a13071294c11b2c9e5195e411eb86a54864 4556 svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 4556 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\Blob = 0300000001000000140000002c85006a1a028bcc349df23c474724c055fde8b620000000010000001f0300003082031b308202dba003020102020900bea900b78b6470ef300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3136303530393230343035355a170d3231303530383230343035355a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b73082012c06072a8648ce3804013082011f02818100a9a733a14a9c9d68b075811ddf231c514c0cdc328087287fd11f1d6eb125b536b88cd5579591bb6e7545b45b98eaa8cdeb0ae38be4781c7d36d97b3d2bb45b9449142130f68e112c6d09e343160cd0d0fbb8aabc8b0cea5b2066b0e3368589dadfd8ae79e9d2bdc5f5836d8fb278be02c260d3a592bda471f1a28e2f925e8b57021500a86236ce56c046d8f3fac8a6bb63e28543e45753028181009eb2085cfbe32af5a25dddeebdeede0d2f2a4475bbca802c7952e078421b4b85528fff6242aba7c75c1e40695db3be422d982972b638679c1b9314a39cad44577d2a71ee3e5738176062d9200be5efcc1b00c16b1b48e8b1771c01b9aa54ce0b5f6679caed531293d92ef822695e20264e23b188489ea3e6dc1c36a90fa0668903818400028180168cdc3d074cf4c9accef116317b85adf100f2454c9ca23203ad296928bb08879c48096c44bcb0dc3f49f69456e871dd45980eacabe735c63ade0281e7a48aca3eabde71aab64c04a6ef72c352be936692c8970a3c7615370d549b931c289810278f5284914f6965df0d93ce0a980ca5dce26e75a331c4da939af3e051d252d3a38198308195301d0603551d0e04160414a353ea5503cd0a69c45870b6ffe3912091c79f7a30530603551d23044c304a8014a353ea5503cd0a69c45870b6ffe3912091c79f7aa127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bea900b78b6470ef30120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c021468e7a7cdfca81ff04d476fa11b781b7696d1fbf402145ef1c64374ebde4c309b59a9deeb99e556fd1477 4556 svchost.exe -
Processes:
svchost.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 3628 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 3628 svchost.exe -
Processes:
084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exedescription ioc pid process File opened for modification \??\c:\Users\Admin\Desktop\WritePop.pptx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Desktop\SuspendAssert.xlsm 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\SubmitDebug.ppt 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\WriteDismount.xlsx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Downloads\TraceUninstall.xls 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Downloads\TraceWatch.xlsb 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\ApproveMeasure.docm 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Desktop\SkipUnlock.xltx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\Are.docx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Desktop\OpenSplit.xltx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\Files.docx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\NewUnprotect.xltm 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\Opened.docx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\OutConvert.docm 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\ReceiveEnable.pot 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\Recently.docx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\These.docx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Downloads\SwitchLock.docx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Music\UninstallGet.docx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\AddDismount.pptm 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\CloseLock.potx 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Documents\DisconnectCompare.xltm 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe File opened for modification \??\c:\Users\Admin\Music\RestartPublish.docm 992 084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe"C:\Users\Admin\AppData\Local\Temp\084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1948
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe"C:\Users\Admin\AppData\Local\Temp\084e772f4891b7047ce98b2fe70d9472ed7afbc36477ada6d5a7b589042f3d8e.exe"1⤵
- Drops Office document
PID:992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 3241⤵
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Checks processor name in registry (likely anti-VM)
PID:4008
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Modifies system certificate store
PID:4556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -s ClipSVC1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wisvc1⤵PID:4652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 3161⤵
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Checks processor name in registry (likely anti-VM)
PID:4712
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost1⤵PID:3692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵PID:3868
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
- Modifies service
PID:3960
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:2968
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:3060
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:3280
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:3628
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1031
- T1130
- T1089