5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe
Size

512KB
MD5

22bdc1774f32565d23c36e3d118097dc
SHA1

8e212378366104fc9bae24fcffd9f97a88227c63
SHA256

5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b
SHA512

c97c2ec052d99266ef8582400ab0dfa832882592b0a38441bafc452bdc0dad5a84d207a3e6a846f192e88164766f98498947335c83787fd17d4f15897dd8fb58
SSDEEP

12288:b1dlZo5yUkDRZKlxJ9eCn9BoF/HtMB56R+nh6TnACZC5I+:b1dlZo5EDoxf6pHSb63UI0I+

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe"	CLEAN.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	CLEAN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe"	CLEAN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	CLEAN.exe

Executes dropped EXE 6 IoCs

pid	Process
4812	CLEAN.exe
4788	CLEAN.exe
1244	CLEAN.exe
2416	svchosty.exe
1716	svchosty.exe
716	svchosty.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD}\StubPath = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe Restart"	svchosty.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD}	CLEAN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD}\StubPath = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe Restart"	CLEAN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD}	svchosty.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4788-139-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/4788-143-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/4788-144-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/4788-146-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/4788-539-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/4788-557-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/1244-559-0x0000000010820000-0x0000000010856000-memory.dmp	upx
behavioral2/memory/1716-581-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/1716-984-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/716-985-0x0000000010860000-0x0000000010896000-memory.dmp	upx
behavioral2/memory/716-986-0x0000000010860000-0x0000000010896000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	CLEAN.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe"	CLEAN.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	CLEAN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe"	CLEAN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	CLEAN.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4812 set thread context of 4788	4812	CLEAN.exe	80
PID 4812 set thread context of 0	4812	CLEAN.exe
PID 2416 set thread context of 1716	2416	svchosty.exe	89
PID 2416 set thread context of 0	2416	svchosty.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windowd UN\svchosty.exe	CLEAN.exe
File opened for modification	C:\Program Files (x86)\Windowd UN\svchosty.exe	CLEAN.exe
File opened for modification	C:\Program Files (x86)\Windowd UN\plugin.dat	CLEAN.exe
File opened for modification	C:\Program Files (x86)\Windowd UN\	CLEAN.exe
File created	C:\Program Files (x86)\Windowd UN\logs.dat	svchosty.exe
File opened for modification	C:\Program Files (x86)\Windowd UN\logs.dat	svchosty.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CLEAN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4788	CLEAN.exe
4788	CLEAN.exe
1716	svchosty.exe
1716	svchosty.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
716	svchosty.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	CLEAN.exe
Token: SeDebugPrivilege	4788	CLEAN.exe
Token: SeDebugPrivilege	4788	CLEAN.exe
Token: SeDebugPrivilege	4788	CLEAN.exe
Token: SeDebugPrivilege	1716	svchosty.exe
Token: SeDebugPrivilege	1716	svchosty.exe
Token: SeDebugPrivilege	1716	svchosty.exe
Token: SeDebugPrivilege	1716	svchosty.exe
Token: SeDebugPrivilege	716	svchosty.exe
Token: SeDebugPrivilege	716	svchosty.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4812	CLEAN.exe
2416	svchosty.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4812	2440	5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe	79
PID 2440 wrote to memory of 4812	2440	5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe	79
PID 2440 wrote to memory of 4812	2440	5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe	79
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 4788	4812	CLEAN.exe	80
PID 4812 wrote to memory of 0	4812	CLEAN.exe
PID 4812 wrote to memory of 0	4812	CLEAN.exe
PID 4812 wrote to memory of 0	4812	CLEAN.exe
PID 4812 wrote to memory of 0	4812	CLEAN.exe
PID 4812 wrote to memory of 0	4812	CLEAN.exe
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4
PID 4788 wrote to memory of 620	4788	CLEAN.exe	4

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1016
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3552
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3640
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3796
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4264
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4680
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:644
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3992
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3488
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3384
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1680

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe
  "C:\Users\Admin\AppData\Local\Temp\5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Extracted\CLEAN.exe
    "C:\Extracted\CLEAN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Extracted\CLEAN.exe
      C:\Extracted\CLEAN.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Extracted\CLEAN.exe
        
        C:\Extracted\CLEAN.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        
        PID:1244
      - C:\Program Files (x86)\Windowd UN\svchosty.exe
        
        "C:\Program Files (x86)\Windowd UN\svchosty.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Program Files (x86)\Windowd UN\svchosty.exe
        
        "C:\Program Files (x86)\Windowd UN\svchosty.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Program Files (x86)\Windowd UN\svchosty.exe
        
        "C:\Program Files (x86)\Windowd UN\svchosty.exe"
        8⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2652

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1884

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2572

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\CLEAN.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
C:\Extracted\CLEAN.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
C:\Extracted\CLEAN.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
C:\Extracted\CLEAN.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
C:\Program Files (x86)\Windowd UN\svchosty.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
C:\Program Files (x86)\Windowd UN\svchosty.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
C:\Program Files (x86)\Windowd UN\svchosty.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
C:\Program Files (x86)\Windowd UN\svchosty.exe

Filesize
176KB

MD5
14bbe284f5dbea370c72086a6cf9c285

SHA1
d64f1da8480a238f0fafd4a52c1ffe38729ee415

SHA256
e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e

SHA512
c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209

Download Submit
memory/716-985-0x0000000010860000-0x0000000010896000-memory.dmp

Filesize
216KB

Download
memory/716-986-0x0000000010860000-0x0000000010896000-memory.dmp

Filesize
216KB

Download
memory/1244-558-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1244-559-0x0000000010820000-0x0000000010856000-memory.dmp

Filesize
216KB

Download
memory/1716-984-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1716-581-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2416-565-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2416-573-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4788-146-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4788-169-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/4788-211-0x0000000010420000-0x000000001042A000-memory.dmp

Filesize
40KB

Download
memory/4788-204-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/4788-557-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4788-197-0x0000000010410000-0x000000001041A000-memory.dmp

Filesize
40KB

Download
memory/4788-190-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/4788-183-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/4788-176-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/4788-539-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4788-162-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/4788-155-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/4788-148-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/4788-139-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4788-144-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4788-143-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4812-145-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4812-137-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download