b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca

Analysis

max time kernel
147s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Size

4.1MB
MD5

e16394ef0b1dedaad80491307fa24d5d
SHA1

72d20ec1bd531b097b468bda5776ad01775d5233
SHA256

b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca
SHA512

9cef7437487cfe9ae8c9d728a98a4502ecd883999bd9bdae4a1ed3eeda3aae235baa2455df2b1d0827aac939584bc26f8c7a11d32ed3d9d10da2104e4ca2490f
SSDEEP

98304:NhRnhNDa9+zSAsOLrac/AMj5qF52Ut8+cduuuRtnHpM8IK:ZhG+VsOHTAMj5wUh+NLRtnJM8V

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2116 created 3408	2116	svchost.exe	84

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4316	netsh.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3408	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
3408	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Token: SeImpersonatePrivilege	3408	b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
Token: SeTcbPrivilege	2116	svchost.exe
Token: SeTcbPrivilege	2116	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1264	2116	svchost.exe	101
PID 2116 wrote to memory of 1264	2116	svchost.exe	101
PID 2116 wrote to memory of 1264	2116	svchost.exe	101

C:\Users\Admin\AppData\Local\Temp\b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
"C:\Users\Admin\AppData\Local\Temp\b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408
- C:\Users\Admin\AppData\Local\Temp\b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe
  "C:\Users\Admin\AppData\Local\Temp\b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:748
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4316
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
e16394ef0b1dedaad80491307fa24d5d

SHA1
72d20ec1bd531b097b468bda5776ad01775d5233

SHA256
b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca

SHA512
9cef7437487cfe9ae8c9d728a98a4502ecd883999bd9bdae4a1ed3eeda3aae235baa2455df2b1d0827aac939584bc26f8c7a11d32ed3d9d10da2104e4ca2490f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
e16394ef0b1dedaad80491307fa24d5d

SHA1
72d20ec1bd531b097b468bda5776ad01775d5233

SHA256
b94cf0bd4680a028647b8588a054f5f9faa7e67a8ddaa936c5c51dda616c73ca

SHA512
9cef7437487cfe9ae8c9d728a98a4502ecd883999bd9bdae4a1ed3eeda3aae235baa2455df2b1d0827aac939584bc26f8c7a11d32ed3d9d10da2104e4ca2490f

Download Submit
memory/1264-138-0x000000000291B000-0x0000000002D04000-memory.dmp

Filesize
3.9MB

Download
memory/1264-139-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1264-144-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3408-136-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3408-132-0x00000000028FD000-0x0000000002CE6000-memory.dmp

Filesize
3.9MB

Download
memory/3408-134-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3408-133-0x0000000002CF0000-0x0000000003566000-memory.dmp

Filesize
8.5MB

Download