ae5c6da441bacb0495f974463361432af4c46d79d4d22dc2fe80192e5602a61f

Analysis

max time kernel
116s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 19:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae5c6da441bacb0495f974463361432af4c46d79d4d22dc2fe80192e5602a61f.dll
Size

801KB
MD5

660cc8241cd6c037ea0f8a7bdac10cd0
SHA1

04a4d177b3f17243f92da99eb7cf41b02997bd05
SHA256

ae5c6da441bacb0495f974463361432af4c46d79d4d22dc2fe80192e5602a61f
SHA512

67526f767e43b5a66a620c75c96e08b455b172f5ed5de2e1c8fccd89ddfbfbaf96bbd8a515805187631e2b5b5f454fd227044ff8bccf2a301b72ca2088441d98
SSDEEP

12288:J7ei6CQkeVnnyWiw1E6X93nZHaEFeQsJ+H9zsfOO5b0HNoW+szOOI3Je:RelkeVnyXw1/tXQKrH9YG37O93Je

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	regsvr32mgr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regsvr32mgr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	regsvr32mgr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\regsvr32mgr.exe = "C:\\Windows\\SysWOW64\\regsvr32mgr.exe:*:enabled:@shell32.dll,-1"	regsvr32mgr.exe

Executes dropped EXE 1 IoCs

pid	Process
404	regsvr32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022dfd-134.dat	upx
behavioral2/files/0x0001000000022dfd-135.dat	upx
behavioral2/memory/404-136-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4000	404	WerFault.exe	85

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ = "ISimpleShlExt"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID\ = "Catalyst Context Menu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ae5c6da441bacb0495f974463361432af4c46d79d4d22dc2fe80192e5602a61f.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ = "SimpleShlExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ae5c6da441bacb0495f974463361432af4c46d79d4d22dc2fe80192e5602a61f.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\ = "{B009308D-E21E-4B9F-A00B-78A1D0C6B719}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID\ = "Catalyst Context Menu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib\ = "{5E2121EE-0300-11D4-8D3B-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\ = "SimpleEx 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ = "ISimpleShlExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\ = "{B009308D-E21E-4B9F-A00B-78A1D0C6B719}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
404	regsvr32mgr.exe
404	regsvr32mgr.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe
404	regsvr32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	regsvr32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2840	2488	regsvr32.exe	83
PID 2488 wrote to memory of 2840	2488	regsvr32.exe	83
PID 2488 wrote to memory of 2840	2488	regsvr32.exe	83
PID 2840 wrote to memory of 404	2840	regsvr32.exe	85
PID 2840 wrote to memory of 404	2840	regsvr32.exe	85
PID 2840 wrote to memory of 404	2840	regsvr32.exe	85
PID 404 wrote to memory of 616	404	regsvr32mgr.exe	5
PID 404 wrote to memory of 616	404	regsvr32mgr.exe	5
PID 404 wrote to memory of 616	404	regsvr32mgr.exe	5
PID 404 wrote to memory of 616	404	regsvr32mgr.exe	5
PID 404 wrote to memory of 616	404	regsvr32mgr.exe	5
PID 404 wrote to memory of 616	404	regsvr32mgr.exe	5
PID 404 wrote to memory of 672	404	regsvr32mgr.exe	3
PID 404 wrote to memory of 672	404	regsvr32mgr.exe	3
PID 404 wrote to memory of 672	404	regsvr32mgr.exe	3
PID 404 wrote to memory of 672	404	regsvr32mgr.exe	3
PID 404 wrote to memory of 672	404	regsvr32mgr.exe	3
PID 404 wrote to memory of 672	404	regsvr32mgr.exe	3
PID 404 wrote to memory of 780	404	regsvr32mgr.exe	8
PID 404 wrote to memory of 780	404	regsvr32mgr.exe	8
PID 404 wrote to memory of 780	404	regsvr32mgr.exe	8
PID 404 wrote to memory of 780	404	regsvr32mgr.exe	8
PID 404 wrote to memory of 780	404	regsvr32mgr.exe	8
PID 404 wrote to memory of 780	404	regsvr32mgr.exe	8
PID 404 wrote to memory of 788	404	regsvr32mgr.exe	81
PID 404 wrote to memory of 788	404	regsvr32mgr.exe	81
PID 404 wrote to memory of 788	404	regsvr32mgr.exe	81
PID 404 wrote to memory of 788	404	regsvr32mgr.exe	81
PID 404 wrote to memory of 788	404	regsvr32mgr.exe	81
PID 404 wrote to memory of 788	404	regsvr32mgr.exe	81
PID 404 wrote to memory of 800	404	regsvr32mgr.exe	80
PID 404 wrote to memory of 800	404	regsvr32mgr.exe	80
PID 404 wrote to memory of 800	404	regsvr32mgr.exe	80
PID 404 wrote to memory of 800	404	regsvr32mgr.exe	80
PID 404 wrote to memory of 800	404	regsvr32mgr.exe	80
PID 404 wrote to memory of 800	404	regsvr32mgr.exe	80
PID 404 wrote to memory of 896	404	regsvr32mgr.exe	79
PID 404 wrote to memory of 896	404	regsvr32mgr.exe	79
PID 404 wrote to memory of 896	404	regsvr32mgr.exe	79
PID 404 wrote to memory of 896	404	regsvr32mgr.exe	79
PID 404 wrote to memory of 896	404	regsvr32mgr.exe	79
PID 404 wrote to memory of 896	404	regsvr32mgr.exe	79
PID 404 wrote to memory of 956	404	regsvr32mgr.exe	78
PID 404 wrote to memory of 956	404	regsvr32mgr.exe	78
PID 404 wrote to memory of 956	404	regsvr32mgr.exe	78
PID 404 wrote to memory of 956	404	regsvr32mgr.exe	78
PID 404 wrote to memory of 956	404	regsvr32mgr.exe	78
PID 404 wrote to memory of 956	404	regsvr32mgr.exe	78
PID 404 wrote to memory of 64	404	regsvr32mgr.exe	9
PID 404 wrote to memory of 64	404	regsvr32mgr.exe	9
PID 404 wrote to memory of 64	404	regsvr32mgr.exe	9
PID 404 wrote to memory of 64	404	regsvr32mgr.exe	9
PID 404 wrote to memory of 64	404	regsvr32mgr.exe	9
PID 404 wrote to memory of 64	404	regsvr32mgr.exe	9
PID 404 wrote to memory of 536	404	regsvr32mgr.exe	77
PID 404 wrote to memory of 536	404	regsvr32mgr.exe	77
PID 404 wrote to memory of 536	404	regsvr32mgr.exe	77
PID 404 wrote to memory of 536	404	regsvr32mgr.exe	77
PID 404 wrote to memory of 536	404	regsvr32mgr.exe	77
PID 404 wrote to memory of 536	404	regsvr32mgr.exe	77
PID 404 wrote to memory of 732	404	regsvr32mgr.exe	10
PID 404 wrote to memory of 732	404	regsvr32mgr.exe	10
PID 404 wrote to memory of 732	404	regsvr32mgr.exe	10
PID 404 wrote to memory of 732	404	regsvr32mgr.exe	10

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:780
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2564

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1904

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4944

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4992

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3008

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3604

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:776
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ae5c6da441bacb0495f974463361432af4c46d79d4d22dc2fe80192e5602a61f.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\ae5c6da441bacb0495f974463361432af4c46d79d4d22dc2fe80192e5602a61f.dll
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 508
        5⤵
        Program crash
        
        PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2492

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1744

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4340

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 404 -ip 404
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
159KB

MD5
d94ecd0292d32f0de870db4eaa81ac8d

SHA1
521ac6ab241cd87378017a5b7bc4192a5a6d1a03

SHA256
ed84536416c022d55443d97ab0d95d10fdff30168bb5373f6a74c7fe02efdd88

SHA512
276c5648c036bc3d504a06ed44e03fa921e0b4211153b4c6337049bc0153eb77f17639c0366a70a92e144c59254610e41968ba470d4ba9f735373921b57e4bfa

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
159KB

MD5
d94ecd0292d32f0de870db4eaa81ac8d

SHA1
521ac6ab241cd87378017a5b7bc4192a5a6d1a03

SHA256
ed84536416c022d55443d97ab0d95d10fdff30168bb5373f6a74c7fe02efdd88

SHA512
276c5648c036bc3d504a06ed44e03fa921e0b4211153b4c6337049bc0153eb77f17639c0366a70a92e144c59254610e41968ba470d4ba9f735373921b57e4bfa

Download Submit
memory/404-136-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download