e3f9f047e996dc69c240cff4aff0f51f8a752a640e2d76f92c9046a76288ea93

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c453e40aee6db06dc7c47a0dac822efe.exe
Size

154KB
MD5

c453e40aee6db06dc7c47a0dac822efe
SHA1

f5328ffd740c47b6f24772d4b5d7d20caa94ea88
SHA256

e3f9f047e996dc69c240cff4aff0f51f8a752a640e2d76f92c9046a76288ea93
SHA512

14cfcc829f57500dcea496bc60ba95e596fd3eaf8095a3c2eaedbc135193a25965c60256ed797312cfffc769dc41e3db5614109f28f3418b5822421d0fbd181a
SSDEEP

3072:3GpX65p/ftXlt1wLrnjkcb/EKdqcrwbtpgW8TMVVlePX3OqP:2pq7fteHwcb/EglcbtCvMVVI

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4116	cleansweep.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/744-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/744-8-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-7-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-24-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-33-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-52-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-58-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-59-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-61-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-60-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-57-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-56-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-55-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-54-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-53-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-51-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-50-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-49-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-48-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-47-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-31-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-30-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-29-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-28-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-27-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-26-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-25-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-23-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-22-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-21-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-20-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-19-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-18-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-17-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-16-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-15-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-14-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-13-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-12-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-11-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-10-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-9-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-6-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-5-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-4-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-3-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3576-2-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/files/0x00070000000231f7-4568.dat	upx
behavioral2/memory/744-4571-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4116-4569-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
744	c453e40aee6db06dc7c47a0dac822efe.exe
744	c453e40aee6db06dc7c47a0dac822efe.exe
744	c453e40aee6db06dc7c47a0dac822efe.exe
744	c453e40aee6db06dc7c47a0dac822efe.exe
4116	cleansweep.exe
4116	cleansweep.exe
4116	cleansweep.exe
4116	cleansweep.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	c453e40aee6db06dc7c47a0dac822efe.exe
Token: SeDebugPrivilege	744	c453e40aee6db06dc7c47a0dac822efe.exe
Token: SeDebugPrivilege	4116	cleansweep.exe
Token: SeDebugPrivilege	4116	cleansweep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 3576	744	c453e40aee6db06dc7c47a0dac822efe.exe	57
PID 744 wrote to memory of 596	744	c453e40aee6db06dc7c47a0dac822efe.exe	5
PID 744 wrote to memory of 596	744	c453e40aee6db06dc7c47a0dac822efe.exe	5
PID 744 wrote to memory of 596	744	c453e40aee6db06dc7c47a0dac822efe.exe	5
PID 744 wrote to memory of 596	744	c453e40aee6db06dc7c47a0dac822efe.exe	5

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:772
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3212
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3880
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3968
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4032
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:1332
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4156
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4540
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2104
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:3748
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3900
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2196
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:3180
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:3988
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2272
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1124
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1348
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2128

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2892

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\c453e40aee6db06dc7c47a0dac822efe.exe
  "C:\Users\Admin\AppData\Local\Temp\c453e40aee6db06dc7c47a0dac822efe.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\cleansweep.exe\cleansweep.exe
    "C:\cleansweep.exe\cleansweep.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5016

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\cleansweep.exe\cleansweep.exe

Filesize
154KB

MD5
c453e40aee6db06dc7c47a0dac822efe

SHA1
f5328ffd740c47b6f24772d4b5d7d20caa94ea88

SHA256
e3f9f047e996dc69c240cff4aff0f51f8a752a640e2d76f92c9046a76288ea93

SHA512
14cfcc829f57500dcea496bc60ba95e596fd3eaf8095a3c2eaedbc135193a25965c60256ed797312cfffc769dc41e3db5614109f28f3418b5822421d0fbd181a

Download Submit
C:\cleansweep.exe\config.bin

Filesize
52KB

MD5
8ee04dece40ddd67306535bf9c4a14cf

SHA1
dc39562de13c1a2990ff0f73ace83173f755180d

SHA256
5e2fb914d1193e56c2b069dec184a7dbb54006197d645abd3ce4a477c3e1628e

SHA512
e06c05d466d44ee667469ab63d420eb64bd3136c927a01c38043a351cd22f68dd7d59575a1b351d71e6f6703e71c513a9633833c0fd9c88042d6a68b66678ed8

Download Submit
memory/744-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-4571-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-51-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-50-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-4569-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download