571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
Size

332KB
MD5

800313d736c6333dae0abdfeb8f04852
SHA1

94996af19c45e9af13d0b414e2d89af52d93dc54
SHA256

571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666
SHA512

b26828483e7f25a9f1fa6ca83b712086728b1fbc6f4b41e68223a73404c519cc324ce5ed8a55dc91cb047b228af87ebd604e8064d56324d9032f52e33242a037
SSDEEP

6144:XVfjmNhks7EgoBeXkTf9lGcWiKIxpcRWz6Ujd4nVstVDse:F7+eeXxfiKIxpckjJ4ut

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	cmd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	cmd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\cmd.exe = "C:\\Windows\\SysWOW64\\cmd.exe:*:enabled:@shell32.dll,-1"	cmd.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	2272	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1188	Logo1_.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
File created	C:\Windows\Logo1_.exe	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe
1188	Logo1_.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe
Token: SeChangeNotifyPrivilege	1188	Logo1_.exe
Token: SeTakeOwnershipPrivilege	1188	Logo1_.exe
Token: SeRestorePrivilege	1188	Logo1_.exe
Token: SeBackupPrivilege	1188	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 2272	3100	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	85
PID 3100 wrote to memory of 2272	3100	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	85
PID 3100 wrote to memory of 2272	3100	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	85
PID 3100 wrote to memory of 1188	3100	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	86
PID 3100 wrote to memory of 1188	3100	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	86
PID 3100 wrote to memory of 1188	3100	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	86
PID 1188 wrote to memory of 3864	1188	Logo1_.exe	87
PID 1188 wrote to memory of 3864	1188	Logo1_.exe	87
PID 1188 wrote to memory of 3864	1188	Logo1_.exe	87
PID 3864 wrote to memory of 1628	3864	net.exe	90
PID 3864 wrote to memory of 1628	3864	net.exe	90
PID 3864 wrote to memory of 1628	3864	net.exe	90
PID 2272 wrote to memory of 2496	2272	cmd.exe	91
PID 2272 wrote to memory of 2496	2272	cmd.exe	91
PID 2272 wrote to memory of 2496	2272	cmd.exe	91
PID 2496 wrote to memory of 608	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	5
PID 2496 wrote to memory of 608	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	5
PID 2496 wrote to memory of 608	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	5
PID 2496 wrote to memory of 608	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	5
PID 2496 wrote to memory of 608	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	5
PID 2496 wrote to memory of 608	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	5
PID 2496 wrote to memory of 668	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	7
PID 2496 wrote to memory of 668	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	7
PID 2496 wrote to memory of 668	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	7
PID 2496 wrote to memory of 668	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	7
PID 2496 wrote to memory of 668	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	7
PID 2496 wrote to memory of 668	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	7
PID 2496 wrote to memory of 764	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	8
PID 2496 wrote to memory of 764	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	8
PID 2496 wrote to memory of 764	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	8
PID 2496 wrote to memory of 764	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	8
PID 2496 wrote to memory of 764	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	8
PID 2496 wrote to memory of 764	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	8
PID 2496 wrote to memory of 772	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	9
PID 2496 wrote to memory of 772	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	9
PID 2496 wrote to memory of 772	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	9
PID 2496 wrote to memory of 772	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	9
PID 2496 wrote to memory of 772	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	9
PID 2496 wrote to memory of 772	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	9
PID 2496 wrote to memory of 792	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	10
PID 2496 wrote to memory of 792	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	10
PID 2496 wrote to memory of 792	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	10
PID 2496 wrote to memory of 792	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	10
PID 2496 wrote to memory of 792	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	10
PID 2496 wrote to memory of 792	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	10
PID 2496 wrote to memory of 896	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	11
PID 2496 wrote to memory of 896	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	11
PID 2496 wrote to memory of 896	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	11
PID 2496 wrote to memory of 896	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	11
PID 2496 wrote to memory of 896	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	11
PID 2496 wrote to memory of 896	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	11
PID 2496 wrote to memory of 956	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	12
PID 2496 wrote to memory of 956	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	12
PID 2496 wrote to memory of 956	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	12
PID 2496 wrote to memory of 956	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	12
PID 2496 wrote to memory of 956	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	12
PID 2496 wrote to memory of 956	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	12
PID 2496 wrote to memory of 60	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	13
PID 2496 wrote to memory of 60	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	13
PID 2496 wrote to memory of 60	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	13
PID 2496 wrote to memory of 60	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	13
PID 2496 wrote to memory of 60	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	13
PID 2496 wrote to memory of 60	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	13
PID 2496 wrote to memory of 736	2496	571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe	14

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:772
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2244
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3832
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3924
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3984
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4064
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4236
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4248
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:5060
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1360
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1968
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2792
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:1332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1464
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2808

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
  "C:\Users\Admin\AppData\Local\Temp\571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a418D.bat
    3⤵
    - Modifies firewall policy service
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe
      "C:\Users\Admin\AppData\Local\Temp\571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2496
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4900

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
519b2e498c85d704ac779e503b0b2f71

SHA1
6ed59a21fae48fe4d239e5495337d0e00a3bc583

SHA256
05e9e68956f162ce3a6a6aaea3319d3310535dbec74480c4f1d3c0ed93107e9f

SHA512
8ccd502784d43c369ef5c0244b1ed5b64685c7cf03747ef7a5be6416df800708c03160c831221273d4883634e6b63868067fd8ae864b872619b63f00a172c7f2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
132KB

MD5
795ab83bf741093d0841a00a0d43c2be

SHA1
595b4d9df0c171a34bf60a6543b8b7274814ac59

SHA256
73ab13081b106772e4a35fbf33060b29e3bfe78375a85609237329ac4a54e573

SHA512
67bf8ddd66f28be381de84efbcf41bdf4f0f7c4ca798f6542a96ffec26c9933d75b6f58d4ec72a60d73d8a7c188d713c82ab717f57eee0aebcb50666c125e0c7

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
481KB

MD5
1db5b390daa2d070657fbdb4f5d2cc55

SHA1
77e633e49df484b827080753514cc376749b0ceb

SHA256
d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad

SHA512
68aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a418D.bat

Filesize
722B

MD5
40b52ac20a79b42e05a705c8486e3caa

SHA1
cbcb36873c7504a3a7a7313ef874bbd4ecbf4a77

SHA256
88b30871be24923cde629412eb2db828c1919c6c0dc274cdec350c54205db11b

SHA512
ca3257a3c3c86377c29029bc0f767fb2aaa0030bcf73944b737b0cab45250afafbb95540ef9134b225dfe4ad642e2411771f9002b48cfff3acff2c275a11d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\571c9a384e15ad5b58789f26634a1ce35632c9630c0c5ff55b33645bcaa80666.exe.exe

Filesize
306KB

MD5
30066f84465f586a6441ccd6b552de9c

SHA1
cb433688018661f115100eb2029fba1a4acda990

SHA256
759392e92c915a252d638289d2147b437133f232cb4e25694f3b2c8fe8d2374b

SHA512
57e0c6a44ca25a60ea2bacd5b958da3e377320cee3abd73af9c349e56252402e538ce4cb8bf7483059becf48b8df53fd85c8cb27c9416b079034c4812db39e00

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
43a0f2479ef3e3cc7cd43cfcfe13f590

SHA1
8c68ef9e3cc2e89d60fc8a824e3a5a01faaa7436

SHA256
fc996bb822bc20dc54bb0f67b8d2657227e904996a73ed64b7cc7a91d259b17a

SHA512
5ff51fa88118d1cdddad4409df1ea9f7aa393255b00722776084e938756b8e2940b23d6a344b43ea7f24cd2b43a91fd70506dbeabaf3e4e7cee351c86ca7263c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\_desktop.ini

Filesize
9B

MD5
99e7b853191358d26886fb0fbf829151

SHA1
e48d4d584139ac8cef25e13fec7558deb3394143

SHA256
e361153f54284dcb6dd9194e2517751c54440206148beb878dfd37e380405f4d

SHA512
d9de2712f2d0af5774acd4f44b4081f9b0d6e7bcd43518431ec8e53932a9e10bcd3ee93fa8565a79619e0b10b3c7178fdfc5ff11675198a6f035a15f6aa03280

Download Submit
memory/1188-1211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-4748-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-1182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-821-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-28-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1188-41-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1188-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-20-0x000000007F8D0000-0x000000007F8DC000-memory.dmp

Filesize
48KB

Download
memory/2272-30-0x000000007F8D0000-0x000000007F8DC000-memory.dmp

Filesize
48KB

Download
memory/2272-24-0x000000007F8D0000-0x000000007F8DC000-memory.dmp

Filesize
48KB

Download
memory/2272-23-0x00000000778D3000-0x00000000778D4000-memory.dmp

Filesize
4KB

Download
memory/2272-22-0x000000007F8D0000-0x000000007F8DC000-memory.dmp

Filesize
48KB

Download
memory/2272-21-0x00000000778D2000-0x00000000778D3000-memory.dmp

Filesize
4KB

Download
memory/2272-19-0x000000007F8D0000-0x000000007F8DC000-memory.dmp

Filesize
48KB

Download
memory/2496-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-26-0x00000000778D3000-0x00000000778D4000-memory.dmp

Filesize
4KB

Download
memory/2496-25-0x00000000778D2000-0x00000000778D3000-memory.dmp

Filesize
4KB

Download
memory/2496-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3100-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download