426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 06:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
Size

500KB
MD5

3347552aa09c4c82643bb8208f10dfe0
SHA1

455c324106cce3ea37fc3620bcacd96311f4d1ab
SHA256

426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79
SHA512

6c98c94e39dc9b6672dee53298cd32bd2af79df4dd93258c693514a311560a6bf04e2efed4d26d431eceb8ee30c11694cbfd361471752e8370ede694de91a789
SSDEEP

12288:e+vMwQh85td43o3XD9b3wgGY8QKqRWFn5:e+EwFtdXD1ggGY8F15

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe:*:enabled:@shell32.dll,-1"	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\H:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\K:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\L:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\M:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\Q:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\Y:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\F:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\J:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\R:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\T:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\U:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\G:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\I:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\N:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\S:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\Z:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\E:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\O:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\P:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\V:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
File opened (read-only)	\??\X:	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 628	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	2
PID 2836 wrote to memory of 628	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	2
PID 2836 wrote to memory of 628	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	2
PID 2836 wrote to memory of 628	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	2
PID 2836 wrote to memory of 628	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	2
PID 2836 wrote to memory of 628	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	2
PID 2836 wrote to memory of 676	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	3
PID 2836 wrote to memory of 676	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	3
PID 2836 wrote to memory of 676	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	3
PID 2836 wrote to memory of 676	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	3
PID 2836 wrote to memory of 676	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	3
PID 2836 wrote to memory of 676	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	3
PID 2836 wrote to memory of 788	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	8
PID 2836 wrote to memory of 788	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	8
PID 2836 wrote to memory of 788	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	8
PID 2836 wrote to memory of 788	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	8
PID 2836 wrote to memory of 788	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	8
PID 2836 wrote to memory of 788	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	8
PID 2836 wrote to memory of 796	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	9
PID 2836 wrote to memory of 796	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	9
PID 2836 wrote to memory of 796	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	9
PID 2836 wrote to memory of 796	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	9
PID 2836 wrote to memory of 796	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	9
PID 2836 wrote to memory of 796	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	9
PID 2836 wrote to memory of 800	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	15
PID 2836 wrote to memory of 800	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	15
PID 2836 wrote to memory of 800	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	15
PID 2836 wrote to memory of 800	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	15
PID 2836 wrote to memory of 800	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	15
PID 2836 wrote to memory of 800	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	15
PID 2836 wrote to memory of 908	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	14
PID 2836 wrote to memory of 908	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	14
PID 2836 wrote to memory of 908	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	14
PID 2836 wrote to memory of 908	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	14
PID 2836 wrote to memory of 908	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	14
PID 2836 wrote to memory of 908	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	14
PID 2836 wrote to memory of 956	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	11
PID 2836 wrote to memory of 956	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	11
PID 2836 wrote to memory of 956	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	11
PID 2836 wrote to memory of 956	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	11
PID 2836 wrote to memory of 956	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	11
PID 2836 wrote to memory of 956	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	11
PID 2836 wrote to memory of 340	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	10
PID 2836 wrote to memory of 340	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	10
PID 2836 wrote to memory of 340	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	10
PID 2836 wrote to memory of 340	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	10
PID 2836 wrote to memory of 340	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	10
PID 2836 wrote to memory of 340	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	10
PID 2836 wrote to memory of 524	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	12
PID 2836 wrote to memory of 524	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	12
PID 2836 wrote to memory of 524	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	12
PID 2836 wrote to memory of 524	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	12
PID 2836 wrote to memory of 524	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	12
PID 2836 wrote to memory of 524	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	12
PID 2836 wrote to memory of 872	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	13
PID 2836 wrote to memory of 872	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	13
PID 2836 wrote to memory of 872	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	13
PID 2836 wrote to memory of 872	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	13
PID 2836 wrote to memory of 872	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	13
PID 2836 wrote to memory of 872	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	13
PID 2836 wrote to memory of 900	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	16
PID 2836 wrote to memory of 900	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	16
PID 2836 wrote to memory of 900	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	16
PID 2836 wrote to memory of 900	2836	426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:340
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:800

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3416
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3504
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4740
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:2012
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:752
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4420
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3804
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3352
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3260

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1172
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1924

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2152

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2576

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:2268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2972

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe
  "C:\Users\Admin\AppData\Local\Temp\426a548249bc3cafcf347ab32636f999c4dcd84598d7add7f3cce5816e978e79.exe"
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2836-132-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2836-133-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download