dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
Size

316KB
MD5

3ba429d1f65ec333a850f60ed1021db0
SHA1

d3a31399467d8799bda174d3ffeeabaa95929d88
SHA256

dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb
SHA512

75273b0a4ae73ed4ae1717febbffadb2d7956330a75b1994199f857299aa690a893e7d3ac119401d00f39100fcf604aa7d751bb03a6ec1f1fa6f33e9fe10ac2b
SSDEEP

1536:LCPm98cr5qpbVOVb/u6BtvtdY7ekVZG4Ucx4fVP3CBomUJxtaRrZKVhPt6Bo:LlbJqX7agBohhaBZKVL

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 604	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	3
PID 2676 wrote to memory of 604	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	3
PID 2676 wrote to memory of 604	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	3
PID 2676 wrote to memory of 604	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	3
PID 2676 wrote to memory of 604	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	3
PID 2676 wrote to memory of 604	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	3
PID 2676 wrote to memory of 672	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	1
PID 2676 wrote to memory of 672	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	1
PID 2676 wrote to memory of 672	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	1
PID 2676 wrote to memory of 672	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	1
PID 2676 wrote to memory of 672	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	1
PID 2676 wrote to memory of 672	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	1
PID 2676 wrote to memory of 784	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	8
PID 2676 wrote to memory of 784	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	8
PID 2676 wrote to memory of 784	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	8
PID 2676 wrote to memory of 784	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	8
PID 2676 wrote to memory of 784	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	8
PID 2676 wrote to memory of 784	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	8
PID 2676 wrote to memory of 788	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	38
PID 2676 wrote to memory of 788	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	38
PID 2676 wrote to memory of 788	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	38
PID 2676 wrote to memory of 788	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	38
PID 2676 wrote to memory of 788	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	38
PID 2676 wrote to memory of 788	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	38
PID 2676 wrote to memory of 800	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	17
PID 2676 wrote to memory of 800	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	17
PID 2676 wrote to memory of 800	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	17
PID 2676 wrote to memory of 800	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	17
PID 2676 wrote to memory of 800	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	17
PID 2676 wrote to memory of 800	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	17
PID 2676 wrote to memory of 908	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	15
PID 2676 wrote to memory of 908	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	15
PID 2676 wrote to memory of 908	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	15
PID 2676 wrote to memory of 908	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	15
PID 2676 wrote to memory of 908	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	15
PID 2676 wrote to memory of 908	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	15
PID 2676 wrote to memory of 960	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	13
PID 2676 wrote to memory of 960	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	13
PID 2676 wrote to memory of 960	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	13
PID 2676 wrote to memory of 960	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	13
PID 2676 wrote to memory of 960	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	13
PID 2676 wrote to memory of 960	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	13
PID 2676 wrote to memory of 376	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	9
PID 2676 wrote to memory of 376	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	9
PID 2676 wrote to memory of 376	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	9
PID 2676 wrote to memory of 376	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	9
PID 2676 wrote to memory of 376	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	9
PID 2676 wrote to memory of 376	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	9
PID 2676 wrote to memory of 524	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	10
PID 2676 wrote to memory of 524	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	10
PID 2676 wrote to memory of 524	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	10
PID 2676 wrote to memory of 524	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	10
PID 2676 wrote to memory of 524	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	10
PID 2676 wrote to memory of 524	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	10
PID 2676 wrote to memory of 656	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	11
PID 2676 wrote to memory of 656	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	11
PID 2676 wrote to memory of 656	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	11
PID 2676 wrote to memory of 656	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	11
PID 2676 wrote to memory of 656	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	11
PID 2676 wrote to memory of 656	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	11
PID 2676 wrote to memory of 736	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	12
PID 2676 wrote to memory of 736	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	12
PID 2676 wrote to memory of 736	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	12
PID 2676 wrote to memory of 736	2676	dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe	12

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:784
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3564
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3908
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2840
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4068
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4784
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3876
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3664
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3452
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3444
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1164
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1364
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1876

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3140

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2824
- C:\Users\Admin\AppData\Local\Temp\dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe
  "C:\Users\Admin\AppData\Local\Temp\dd063fef040505571e62f68f1fbcc9cfcd53cfecf63dd255f63a654ea3bd3ddb.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2700

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2676-132-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2676-133-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download