4fe7b2d7f391cb0780eb9d3abb54548f4a28b8d86ef98276226506a9027908e9

Analysis

max time kernel
140s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd565b5fc7e2c7ae5a72323c6c84043.exe
Size

241KB
MD5

bbd565b5fc7e2c7ae5a72323c6c84043
SHA1

dc9f8f2c724079a34f3cd14e956d5d7e0536da53
SHA256

4fe7b2d7f391cb0780eb9d3abb54548f4a28b8d86ef98276226506a9027908e9
SHA512

9c723ec532654340d98b1c6ef06484ea0661a4fa23adb00abd516296d3b5f577e0061fc9b3b56d73fad3041ab425b3a69c701c136efafd4074f97eaf36bda2b9
SSDEEP

6144:2qdNGT8pG5cnEUyE7NmZpIDYSHKp9JT5S6VR/Uu:nTnEUye0YHO9JXR/j

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	bbd565b5fc7e2c7ae5a72323c6c84043.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	bbd565b5fc7e2c7ae5a72323c6c84043.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	bbd565b5fc7e2c7ae5a72323c6c84043.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\bbd565b5fc7e2c7ae5a72323c6c84043.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bbd565b5fc7e2c7ae5a72323c6c84043.exe:*:enabled:@shell32.dll,-1"	bbd565b5fc7e2c7ae5a72323c6c84043.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4688	2184	WerFault.exe	81
3232	2184	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe
2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 628	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	5
PID 2184 wrote to memory of 628	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	5
PID 2184 wrote to memory of 628	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	5
PID 2184 wrote to memory of 628	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	5
PID 2184 wrote to memory of 628	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	5
PID 2184 wrote to memory of 628	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	5
PID 2184 wrote to memory of 684	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	7
PID 2184 wrote to memory of 684	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	7
PID 2184 wrote to memory of 684	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	7
PID 2184 wrote to memory of 684	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	7
PID 2184 wrote to memory of 684	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	7
PID 2184 wrote to memory of 684	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	7
PID 2184 wrote to memory of 788	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	8
PID 2184 wrote to memory of 788	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	8
PID 2184 wrote to memory of 788	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	8
PID 2184 wrote to memory of 788	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	8
PID 2184 wrote to memory of 788	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	8
PID 2184 wrote to memory of 788	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	8
PID 2184 wrote to memory of 792	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	9
PID 2184 wrote to memory of 792	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	9
PID 2184 wrote to memory of 792	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	9
PID 2184 wrote to memory of 792	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	9
PID 2184 wrote to memory of 792	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	9
PID 2184 wrote to memory of 792	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	9
PID 2184 wrote to memory of 804	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	10
PID 2184 wrote to memory of 804	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	10
PID 2184 wrote to memory of 804	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	10
PID 2184 wrote to memory of 804	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	10
PID 2184 wrote to memory of 804	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	10
PID 2184 wrote to memory of 804	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	10
PID 2184 wrote to memory of 912	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	11
PID 2184 wrote to memory of 912	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	11
PID 2184 wrote to memory of 912	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	11
PID 2184 wrote to memory of 912	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	11
PID 2184 wrote to memory of 912	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	11
PID 2184 wrote to memory of 912	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	11
PID 2184 wrote to memory of 964	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	12
PID 2184 wrote to memory of 964	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	12
PID 2184 wrote to memory of 964	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	12
PID 2184 wrote to memory of 964	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	12
PID 2184 wrote to memory of 964	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	12
PID 2184 wrote to memory of 964	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	12
PID 2184 wrote to memory of 316	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	13
PID 2184 wrote to memory of 316	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	13
PID 2184 wrote to memory of 316	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	13
PID 2184 wrote to memory of 316	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	13
PID 2184 wrote to memory of 316	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	13
PID 2184 wrote to memory of 316	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	13
PID 2184 wrote to memory of 396	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	14
PID 2184 wrote to memory of 396	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	14
PID 2184 wrote to memory of 396	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	14
PID 2184 wrote to memory of 396	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	14
PID 2184 wrote to memory of 396	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	14
PID 2184 wrote to memory of 396	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	14
PID 2184 wrote to memory of 704	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	15
PID 2184 wrote to memory of 704	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	15
PID 2184 wrote to memory of 704	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	15
PID 2184 wrote to memory of 704	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	15
PID 2184 wrote to memory of 704	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	15
PID 2184 wrote to memory of 704	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	15
PID 2184 wrote to memory of 1032	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	16
PID 2184 wrote to memory of 1032	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	16
PID 2184 wrote to memory of 1032	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	16
PID 2184 wrote to memory of 1032	2184	bbd565b5fc7e2c7ae5a72323c6c84043.exe	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3164
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3864
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3968
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4032
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:1016
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4124
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4500
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4652
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1888
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4828
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:2756
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:5060
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1204
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1388
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2828

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3320
- C:\Users\Admin\AppData\Local\Temp\bbd565b5fc7e2c7ae5a72323c6c84043.exe
  "C:\Users\Admin\AppData\Local\Temp\bbd565b5fc7e2c7ae5a72323c6c84043.exe"
  2⤵
  - Modifies firewall policy service
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 540
    3⤵
    - Program crash
    PID:3232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 512
    3⤵
    - Program crash
    PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2148

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2184 -ip 2184
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2184 -ip 2184
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2184-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-2-0x00000000777F2000-0x00000000777F3000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2184-3-0x00000000777F3000-0x00000000777F4000-memory.dmp

Filesize
4KB

Download
memory/2184-4-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2184-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2184-6-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2184-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download