c2e8eab84c23134e367654536c0e40144e4c1c7ad5aaa09443dca439203bfca6

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
20-04-2021 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
Size

636KB
MD5

4a4958ffe77c82041421024861cf0cc9
SHA1

c4c371f190c7363c8d0e6675702338f11214ea09
SHA256

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53
SHA512

ac05159733601ffecfab34cba6a5465ca553e035046c50361784409d2b779bcb40c2f05bf0fa749fd2470cae20675cd04d9c46dc6977e46b7d27fff3ae2226e5

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe:*:enabled:@shell32.dll,-1"	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3916 created 3892 3916 WerFault.exe 1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3916 3892 WerFault.exe 1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

description	pid	process	target process
PID 3916 created 3892	3916	WerFault.exe	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

pid	pid_target	process	target process
3916	3892	WerFault.exe	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exeWerFault.exe

pid	process
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe

Suspicious behavior: MapViewOfSection 59 IoCs

Processes:

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

pid	process
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
Token: SeRestorePrivilege	3916	WerFault.exe
Token: SeBackupPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	3916	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

pid process

3892 1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe

description	pid	process	target process
PID 3892 wrote to memory of 568	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	winlogon.exe
PID 3892 wrote to memory of 568	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	winlogon.exe
PID 3892 wrote to memory of 568	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	winlogon.exe
PID 3892 wrote to memory of 568	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	winlogon.exe
PID 3892 wrote to memory of 568	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	winlogon.exe
PID 3892 wrote to memory of 568	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	winlogon.exe
PID 3892 wrote to memory of 620	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	lsass.exe
PID 3892 wrote to memory of 620	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	lsass.exe
PID 3892 wrote to memory of 620	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	lsass.exe
PID 3892 wrote to memory of 620	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	lsass.exe
PID 3892 wrote to memory of 620	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	lsass.exe
PID 3892 wrote to memory of 620	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	lsass.exe
PID 3892 wrote to memory of 708	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 708	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 708	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 708	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 708	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 708	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 728	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 728	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 728	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 728	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 728	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 728	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 736	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 736	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 736	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 736	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 736	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 736	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	fontdrvhost.exe
PID 3892 wrote to memory of 768	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 768	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 768	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 768	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 768	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 768	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 840	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 840	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 840	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 840	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 840	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 840	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 888	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 888	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 888	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 888	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 888	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 888	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 972	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	dwm.exe
PID 3892 wrote to memory of 972	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	dwm.exe
PID 3892 wrote to memory of 972	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	dwm.exe
PID 3892 wrote to memory of 972	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	dwm.exe
PID 3892 wrote to memory of 972	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	dwm.exe
PID 3892 wrote to memory of 972	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	dwm.exe
PID 3892 wrote to memory of 996	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 996	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 996	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 996	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 996	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 996	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 392	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 392	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 392	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe
PID 3892 wrote to memory of 392	3892	1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:620

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:568

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:972

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1340

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1396

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3244

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3236

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe
"C:\Users\Admin\AppData\Local\Temp\1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1220
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2724

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:1808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2652

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2492

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b8
1⤵
PID:2224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s WinHttpAutoProxySvc
1⤵
PID:2056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1520

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:768

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:736

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads