Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-03-2022 05:13
Static task
static1
Behavioral task
behavioral1
Sample
SHITYOURSELF.exe
Resource
win7-20220311-en
General
-
Target
SHITYOURSELF.exe
-
Size
121KB
-
MD5
c497c71621630045eb8d0673ae817d70
-
SHA1
74c6e0b93f8c6d5d5634bf32a47a6c4968fefc01
-
SHA256
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
-
SHA512
73a8f54b95ccdfaa5f2e42dca771687612e514de87904840f4eac5fc87f0262051e614c0b0f4d576fe99f58b421dc106f45fe3bea011e0eb8bdc2d99e92f6463
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
SHITYOURSELF.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications SHITYOURSELF.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SHITYOURSELF.exe:*:enabled:@shell32.dll,-1" SHITYOURSELF.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List SHITYOURSELF.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile SHITYOURSELF.exe -
Executes dropped EXE 2 IoCs
Processes:
SHITYOURSELFSrv.exeDesktopLayer.exepid process 1812 SHITYOURSELFSrv.exe 2036 DesktopLayer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe upx C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/1812-133-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/2036-136-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
SHITYOURSELFSrv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px5C66.tmp SHITYOURSELFSrv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe SHITYOURSELFSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe SHITYOURSELFSrv.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2036714187" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350183105" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2037182929" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947170" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2037182929" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947170" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2036714187" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947170" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{70F3D89E-A355-11EC-B9A4-46AC0546711C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947170" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SHITYOURSELF.exeDesktopLayer.exepid process 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2380 iexplore.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
SHITYOURSELF.exepid process 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe 1516 SHITYOURSELF.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SHITYOURSELF.exedescription pid process Token: SeDebugPrivilege 1516 SHITYOURSELF.exe Token: SeTakeOwnershipPrivilege 1516 SHITYOURSELF.exe Token: SeRestorePrivilege 1516 SHITYOURSELF.exe Token: SeBackupPrivilege 1516 SHITYOURSELF.exe Token: SeChangeNotifyPrivilege 1516 SHITYOURSELF.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2380 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2380 iexplore.exe 2380 iexplore.exe 4348 IEXPLORE.EXE 4348 IEXPLORE.EXE 4348 IEXPLORE.EXE 4348 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SHITYOURSELF.exedescription pid process target process PID 1516 wrote to memory of 1812 1516 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 1516 wrote to memory of 1812 1516 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 1516 wrote to memory of 1812 1516 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 1516 wrote to memory of 620 1516 SHITYOURSELF.exe winlogon.exe PID 1516 wrote to memory of 620 1516 SHITYOURSELF.exe winlogon.exe PID 1516 wrote to memory of 620 1516 SHITYOURSELF.exe winlogon.exe PID 1516 wrote to memory of 620 1516 SHITYOURSELF.exe winlogon.exe PID 1516 wrote to memory of 620 1516 SHITYOURSELF.exe winlogon.exe PID 1516 wrote to memory of 620 1516 SHITYOURSELF.exe winlogon.exe PID 1516 wrote to memory of 672 1516 SHITYOURSELF.exe lsass.exe PID 1516 wrote to memory of 672 1516 SHITYOURSELF.exe lsass.exe PID 1516 wrote to memory of 672 1516 SHITYOURSELF.exe lsass.exe PID 1516 wrote to memory of 672 1516 SHITYOURSELF.exe lsass.exe PID 1516 wrote to memory of 672 1516 SHITYOURSELF.exe lsass.exe PID 1516 wrote to memory of 672 1516 SHITYOURSELF.exe lsass.exe PID 1516 wrote to memory of 780 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 780 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 780 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 780 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 780 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 780 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 784 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 784 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 784 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 784 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 784 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 784 1516 SHITYOURSELF.exe fontdrvhost.exe PID 1516 wrote to memory of 796 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 796 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 796 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 796 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 796 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 796 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 904 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 904 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 904 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 904 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 904 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 904 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 948 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 948 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 948 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 948 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 948 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 948 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 1012 1516 SHITYOURSELF.exe dwm.exe PID 1516 wrote to memory of 1012 1516 SHITYOURSELF.exe dwm.exe PID 1516 wrote to memory of 1012 1516 SHITYOURSELF.exe dwm.exe PID 1516 wrote to memory of 1012 1516 SHITYOURSELF.exe dwm.exe PID 1516 wrote to memory of 1012 1516 SHITYOURSELF.exe dwm.exe PID 1516 wrote to memory of 1012 1516 SHITYOURSELF.exe dwm.exe PID 1516 wrote to memory of 740 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 740 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 740 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 740 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 740 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 740 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 616 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 616 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 616 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 616 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 616 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 616 1516 SHITYOURSELF.exe svchost.exe PID 1516 wrote to memory of 996 1516 SHITYOURSELF.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2356
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1948
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:1704
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2768
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:2216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:5036
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4448
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4240
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3632
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3544
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeC:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1812 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2036 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2380 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2500
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2188
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:376
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1072
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
5fb0292bc5c1b9a106bee20bc97ee940
SHA1c49f2a151155e4b79db5bfdac9d1bec670fa0fab
SHA2564a7ba3c987b937f6f596ec90947270cb7008a854ca70380de2b7506f14b08756
SHA5123c2112133b2a3f0664bb4570ab6a3a056b64e99292365485e539da1f2360c8883680b5886b9216888a56081fdd6c8243f24ebbc98f5a26ca54fac5d30f32577e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
55e7f8c53c23679ce2df549e0f71e76a
SHA105357509b64c81f1c95307e93644eecd26e4ed57
SHA256bf0313f3f937d9424884e216f0dcb38218b180b909b933bc345c5b72bf259e11
SHA5127851a66e26caec76dc54bdfae9baeb3250777cdd9530338027e3ab1fcff16c0209acb497e8991714f639a9bef0e4ab7ed94d6a731a9ede326255c99bb132658d
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
memory/1516-138-0x0000000077210000-0x00000000773B3000-memory.dmpFilesize
1.6MB
-
memory/1516-139-0x0000000077210000-0x00000000773B3000-memory.dmpFilesize
1.6MB
-
memory/1812-133-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2036-135-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/2036-136-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2036-137-0x0000000077210000-0x00000000773B3000-memory.dmpFilesize
1.6MB