fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5

Analysis

max time kernel
134s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 01:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
Size

60KB
MD5

a2f1c1c077ef736fdeb5f75d1cf85760
SHA1

54783aab84529bc10bad84d41f9ee6b393c2beb2
SHA256

fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5
SHA512

728b31b0be397cb2b22f0aaaef76510d77bf14051a89416dc76d04493884588b4935d28672ed0b5dfe05d9304e7fa9d2524921a7d48b6a202f4e1c28738bb54d
SSDEEP

768:CKDPMFpnRml/IDFQv0zyP6clUAjtj3wv8txwg3NRyiXn1LbKesoq:j8pnmgXzyycNjt8UdnyiXnldsz

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe:*:enabled:@shell32.dll,-1"	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 576	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	5
PID 4884 wrote to memory of 576	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	5
PID 4884 wrote to memory of 576	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	5
PID 4884 wrote to memory of 576	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	5
PID 4884 wrote to memory of 576	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	5
PID 4884 wrote to memory of 576	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	5
PID 4884 wrote to memory of 664	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	3
PID 4884 wrote to memory of 664	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	3
PID 4884 wrote to memory of 664	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	3
PID 4884 wrote to memory of 664	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	3
PID 4884 wrote to memory of 664	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	3
PID 4884 wrote to memory of 664	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	3
PID 4884 wrote to memory of 764	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	18
PID 4884 wrote to memory of 764	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	18
PID 4884 wrote to memory of 764	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	18
PID 4884 wrote to memory of 764	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	18
PID 4884 wrote to memory of 764	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	18
PID 4884 wrote to memory of 764	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	18
PID 4884 wrote to memory of 784	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	7
PID 4884 wrote to memory of 784	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	7
PID 4884 wrote to memory of 784	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	7
PID 4884 wrote to memory of 784	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	7
PID 4884 wrote to memory of 784	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	7
PID 4884 wrote to memory of 784	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	7
PID 4884 wrote to memory of 792	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	17
PID 4884 wrote to memory of 792	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	17
PID 4884 wrote to memory of 792	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	17
PID 4884 wrote to memory of 792	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	17
PID 4884 wrote to memory of 792	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	17
PID 4884 wrote to memory of 792	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	17
PID 4884 wrote to memory of 884	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	16
PID 4884 wrote to memory of 884	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	16
PID 4884 wrote to memory of 884	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	16
PID 4884 wrote to memory of 884	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	16
PID 4884 wrote to memory of 884	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	16
PID 4884 wrote to memory of 884	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	16
PID 4884 wrote to memory of 940	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	15
PID 4884 wrote to memory of 940	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	15
PID 4884 wrote to memory of 940	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	15
PID 4884 wrote to memory of 940	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	15
PID 4884 wrote to memory of 940	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	15
PID 4884 wrote to memory of 940	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	15
PID 4884 wrote to memory of 1016	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	8
PID 4884 wrote to memory of 1016	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	8
PID 4884 wrote to memory of 1016	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	8
PID 4884 wrote to memory of 1016	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	8
PID 4884 wrote to memory of 1016	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	8
PID 4884 wrote to memory of 1016	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	8
PID 4884 wrote to memory of 440	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	9
PID 4884 wrote to memory of 440	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	9
PID 4884 wrote to memory of 440	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	9
PID 4884 wrote to memory of 440	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	9
PID 4884 wrote to memory of 440	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	9
PID 4884 wrote to memory of 440	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	9
PID 4884 wrote to memory of 424	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	10
PID 4884 wrote to memory of 424	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	10
PID 4884 wrote to memory of 424	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	10
PID 4884 wrote to memory of 424	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	10
PID 4884 wrote to memory of 424	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	10
PID 4884 wrote to memory of 424	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	10
PID 4884 wrote to memory of 880	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	14
PID 4884 wrote to memory of 880	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	14
PID 4884 wrote to memory of 880	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	14
PID 4884 wrote to memory of 880	4884	fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe	14

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:784
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1100
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:884

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:764
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3440
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3376
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3276
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3328
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1624
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4700
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3964
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3688
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2648
- C:\Users\Admin\AppData\Local\Temp\fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe
  "C:\Users\Admin\AppData\Local\Temp\fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe"
  2⤵
  - Modifies firewall policy service
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2464

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1692

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1180

Network

DNS

ilo.brenz.pl

fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

Remote address:

8.8.8.8:53

Request

ilo.brenz.pl

IN A

Response

ilo.brenz.pl

IN A

148.81.111.121
DNS

97.97.242.52.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

97.97.242.52.in-addr.arpa

IN PTR

Response
DNS

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

72.21.81.240:80

92 B
80 B
2
2
148.81.111.121:80

ilo.brenz.pl

fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

260 B
200 B
5
5
72.21.91.29:80

46 B
40 B
1
1
72.21.81.240:80

46 B
40 B
1
1
209.197.3.8:80

wlidsvc

322 B
7
20.189.173.14:443

OfficeClickToRun.exe

322 B
7
93.184.221.240:80

CryptSvc

322 B
7
93.184.221.240:80

CryptSvc

322 B
7
88.221.25.154:80

46 B
40 B
1
1

8.8.8.8:53

ilo.brenz.pl

dns

fd39c883d89ee500217adb24c814ef2ad0f5623af993f2fba06915f19e9601f5.exe

58 B
74 B
1
1

DNS Request

ilo.brenz.pl

DNS Response

148.81.111.121
8.8.8.8:53

97.97.242.52.in-addr.arpa

dns

Dnscache

71 B
145 B
1
1

DNS Request

97.97.242.52.in-addr.arpa
8.8.8.8:53

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

dns

Dnscache

118 B
204 B
1
1

DNS Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4884-132-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.