536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1

General

Target

536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Size

369KB
MD5

4e236014a4e7f3742cf77ad30f3099aa
SHA1

12663bfe4f048b3370058cfac6844a8770d21692
SHA256

536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1
SHA512

d6d81780704c165e97653b5a0d1a1f167f704f724ea8f8cd093c717f13cfd4e274fe1b38ea225ebfcb028669985782c0f97ead423ec4503aab94fabdc43660e6
SSDEEP

6144:DkSEsivYjDdwpnwnK9nzts+In08Ig+m1eibpvo0kL1YxM2dTfcPepfspjR:DhfGYfdwhnz18Fn1eibpw0kRo/dTfc2y

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzxpm2 = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

description	pid	process	target process
PID 1440 set thread context of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

pid	process
1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

description	pid	process
Token: SeDebugPrivilege	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeDebugPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeIncreaseQuotaPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSecurityPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeTakeOwnershipPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeLoadDriverPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSystemProfilePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSystemtimePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeProfSingleProcessPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeIncBasePriorityPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeCreatePagefilePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeBackupPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeRestorePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeShutdownPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeDebugPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSystemEnvironmentPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeRemoteShutdownPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeUndockPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeManageVolumePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: 33	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: 34	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: 35	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeIncreaseQuotaPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSecurityPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeTakeOwnershipPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeLoadDriverPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSystemProfilePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSystemtimePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeProfSingleProcessPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeIncBasePriorityPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeCreatePagefilePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeBackupPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeRestorePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeShutdownPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeDebugPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeSystemEnvironmentPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeRemoteShutdownPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeUndockPrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: SeManageVolumePrivilege	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: 33	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: 34	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
Token: 35	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe

description	pid	process	target process
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1440 wrote to memory of 1920	1440	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
PID 1920 wrote to memory of 1244	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	Explorer.EXE
PID 1920 wrote to memory of 884	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 260	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	smss.exe
PID 1920 wrote to memory of 2036	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	wmiprvse.exe
PID 1920 wrote to memory of 1056	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	sppsvc.exe
PID 1920 wrote to memory of 1188	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	Dwm.exe
PID 1920 wrote to memory of 332	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	csrss.exe
PID 1920 wrote to memory of 416	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	winlogon.exe
PID 1920 wrote to memory of 680	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 584	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 1080	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 844	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 664	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 484	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	lsm.exe
PID 1920 wrote to memory of 1992	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	WMIADAP.EXE
PID 1920 wrote to memory of 744	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 476	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	lsass.exe
PID 1920 wrote to memory of 972	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	spoolsv.exe
PID 1920 wrote to memory of 380	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	csrss.exe
PID 1920 wrote to memory of 460	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	services.exe
PID 1920 wrote to memory of 368	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	wininit.exe
PID 1920 wrote to memory of 812	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 1128	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	taskhost.exe
PID 1920 wrote to memory of 272	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 1244	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	Explorer.EXE
PID 1920 wrote to memory of 884	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 260	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	smss.exe
PID 1920 wrote to memory of 2036	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	wmiprvse.exe
PID 1920 wrote to memory of 1056	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	sppsvc.exe
PID 1920 wrote to memory of 1188	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	Dwm.exe
PID 1920 wrote to memory of 332	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	csrss.exe
PID 1920 wrote to memory of 416	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	winlogon.exe
PID 1920 wrote to memory of 680	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 584	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 1080	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 844	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 664	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 484	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	lsm.exe
PID 1920 wrote to memory of 1992	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	WMIADAP.EXE
PID 1920 wrote to memory of 744	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 476	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	lsass.exe
PID 1920 wrote to memory of 972	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	spoolsv.exe
PID 1920 wrote to memory of 380	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	csrss.exe
PID 1920 wrote to memory of 1532	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	wmiprvse.exe
PID 1920 wrote to memory of 460	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	services.exe
PID 1920 wrote to memory of 368	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	wininit.exe
PID 1920 wrote to memory of 812	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe
PID 1920 wrote to memory of 1128	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	taskhost.exe
PID 1920 wrote to memory of 272	1920	536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:680

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1056

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:584

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
PID:1532

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2036

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1992

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
"C:\Users\Admin\AppData\Local\Temp\536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe
"C:\Users\Admin\AppData\Local\Temp\536f13664f9898f74e50a11f2d460f19111864c99f1f0d0e08d9190278499ec1.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1440-55-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1440-70-0x0000000000436000-0x0000000000447000-memory.dmp

Filesize
68KB

Download
memory/1440-69-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-67-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1920-56-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1920-63-0x00000000004878CE-mapping.dmp

Download
memory/1920-62-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1920-61-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1920-65-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1920-59-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1920-57-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1920-71-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-72-0x0000000000535000-0x0000000000546000-memory.dmp

Filesize
68KB

Download
memory/1920-73-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-74-0x0000000000535000-0x0000000000546000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads